Hi, if you agree that Forefront Identity manager is the Microsoft equivalent of an RA - how would you use this to impliment an LRA which is a subset of the RA and should only see a restricted number of certificates... say for a department or subsiduary company rather than the whole thing? the only way I can figure at present is Create LRA1 and LRA2 user accounts in AD. Create separate certificate templates for company A and B. Set the necessary permissions for LRA2 on the certificate templates via “security tab” for Company A certificates. Set the necessary permissions for LRA1 on the certificate templates via “security tab” for company B certificates. Set “require approver” on all certificate templates. Setting the LRA’s permissions to prevent “viewing of the request for company B certificates” is a little tricky, as if you use the GPO to restrict access this is set as a global setting and prevents access to the CA altogether. other than have two different CA's that is

If you want to have LRA1 being able to manage certificate for company B and LRA2 for company A and if "viewing" but not managing is not an issue, please consider the Restrict Certificate Managers feature http://technet.microsoft.com/en-us/library/cc753372(WS.10).aspx. /Hasain