Restricting who enrollment agent can enroll for

  • 108 Views
  • Last Post 21 September 2016
Ravi.Sabharanjak posted this 20 September 2016

we would like to use an enrollment agent for the provisioning team that will be provisioning smart cards for end users, so that end users don't have to do the enrollment themselves. However the concern is that they will thereby be able to enroll a smart card for the Domain Admins as well. Is there a way to restrict the enrollment agent so that it cannot be misused this way?
we are using the versa-sec software for smartcard management.
thanks and regards,-Ravi

Order By: Standard | Newest | Votes
BrianB posted this 21 September 2016

Brainstorming here…



 

If you are using and Enterprise CA, you could create a new template and then you could set up security to deny enroll and auto enroll on the certificate template

so that Domain Admins cant enroll. Granted, a domain admin can add themselves to Enterprise Admins and modify the template later but that is a manual process that you could set monitoring and alerting on.

 

Brian Britt



 

show

Ravi.Sabharanjak posted this 20 September 2016

I had not, thank you!


show

hcoleman posted this 20 September 2016

Have you seen

https://technet.microsoft.com/en-us/library/cc754154(v=ws.11).aspx?

 






show

Close