This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 62%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
Hi all,
i'm currently facing an issue, where I'm totally stuck with my research.
In our domain, I've got a bunch of Users where I can not manage the published certificates in ADUC.
What I do is:
Open Properties of a User
Click on "Published Certificates"
Get this infobox:
"You do not have sufficient rights to open the certificate store for changes. Windows will attempt to open the store in read-only mode."
On one hand side, the message is really clear, but on the other side, I just don't know where to change the permissions.
I face this issue, only on persons which have domain admin rights, but nothing change after removing them from the group (even after days not).
I would be thankful for any hint!
make sure if you run ADUC in elevated mode.
Good tip, but unfortunately that doesn't change anything.
What you see in Security tab for Domain Admins group?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 96%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFF%3C/text%3E%3C/svg%3E)
Hi,
Which user did you used to Manage Published certificates in ADUC?
Did you have the same issue if you use the built-in administrator or members in the administrators group?
Best Regards,
Hi,
I used all of them. The built-in Domain admin, and users which are members of the domain admin group and enterprise admin group. That doesn't change anything.
Kind Regards
Hi,
How about assign the full control permission to one of the admins on the OU which containing user accounts and check the result again?
Not sure if the issue is related to the following contents:
https://learn.microsoft.com/en-us/windows/win32/seccrypto/store-open
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 77%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Same here. Solution is to start mmc (and load the ADUC snapin) as computer account, in my case as system account on the DC that happens to be the CA.
Sorry for the late reply, but I've found a solution quite some time ago.
In our case there was a "Deny" permission entry on "Write userCertificate" in the secuirty settings of the specific users.