Optional: Delegating Permissions to Run FIM CM Configuration Wizard

Updated: November 8, 2010

Applies To: Forefront Identity Manager Certificate Management

If you want to configure the FIM CM server as a child domain administrator, you must perform the following procedure to grant the necessary permissions to the Domain Admins group for the Certificate Templates container and the Profile Templates container.

To perform prerequisite tasks to configure the FIM CM server as a child domain administrator

  1. Use the CA snap-in to grant the following permissions on the Certificate Templates container to the Domain Admins group of the child domain:

    • List Contents

    • Read All Properties

    • Write All Properties

    • Read Permissions

    • Modify Permissions

    • Modify Owner

    • All Validated Writes

  2. Use the Certificate Templates snap-in to grant Read and Write permissions on the User, KeyRecoveryAgent, and EnrollmentAgent based copies of the certificate templates created earlier to the Domain Admins group of the child domain.

  3. To use the Active Directory Sites and Services snap-in to create a container for profile templates, perform the following steps:

    • In Configuration, under Public Key Services, name the container Profile Templates, and then ensure that it is in the Container class.

  4. In Active Directory Sites and Services, grant the following permissions on the Profile Templates container to the Domain Admins group of the child domain:

    • List Contents

    • Read All Properties

    • Write All Properties

    • Read Permissions

    • Modify Permissions

    • Modify Owner

    • All Validated Writes

    • Create All Child Objects

  5. Grant the Restore files and directories user right to the Domain Admins group of the child domain on the root domain controller.

  6. As an option, create the FIM CM agent accounts, and then grant Read and Enroll permissions to the User, KeyRecoveryAgent, and EnrollmentAgent certificate template copies as previously discussed.

  7. AD DS might require additional permissions based on the service connection point location.

  8. If the FIM CM server and the server on which you installed the CA are in different domains, the domain administrator who is running the FIM CM Configuration Wizard might require additional access to modify the CA settings.

Previous topic

See Also

Community Additions

ADD
Show: