hi, how do I change the Security tab contents of the Active Directory Certificate Services (AD CS) certification authority? I need to script the installation/config, so CMD, VBS or PowerShell are my options. Where are the permissions such as the "Manage CA", "Issue and Manage Certificates" or "Request Certificates" stored? I am currently able to script quite everything exept for the Security tab. Would you please be able to help me out? Thanks Ondrej.

You can use certutil -setreg ca\secuity / certutil -getreg ca\security /Hasain

nice, thanks. BUT, I can -getreg the contents, but how to -setreg the values properly? o.

i would assume there should be some SDDL string that does the magic, but I was not able to come up with anything that would work. ondrej.

The value is stored in binary format in the registry and should be some security descriptor but I have not investigated if it is possible to input a non binary string using the certutil -setreg /Hasain

There is nothing to deal with SDDL. General guidance is: 1) convert binary ACL to WMI-compatible security descriptor. 2) edit Win32_SecurityDescriptor as desired (by utilizing Win32_ACE and Win32_Trustee WMI classes). 3) convert new Win32-SecurityDescriptor to a binary array and assign back to CA. I'm not sure about exact certutil syntax, so I would advice to use ICertAdmin.SetConfigEntry() or reg.exe to set REG_BINARY.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

exquisite! thanks! I am going to give it a try and will post back the results. o.

Ondrej, I've sent you a proof of concept.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki