Disable trust of user-selected root CAs for a Windows Server 2003 domain

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To disable trust of user-selected root CAs for a Windows Server 2003 domain

On the domain controller, open Active Directory Users and Computers.
Click the domain name and, on the Action menu, click Properties.
Click the Group Policy tab and then click the Edit button.
In the console tree, click Trusted Root Certification Authorities.

Where?
- Default Domain Policy/Computer Configuration/Windows Settings/Security Settings/Public Key Policies/Trusted Root Certification Authorities
On the Action menu, click Properties.
Clear the Allow users to select new root certification authorities (CAs) to trust check box and then click OK.
Close the Group Policy snap-in.

Notes

To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.
When you disable the trust of user-selected CAs, these are the consequences:
- When the users access any secure Web sites that are validated by these user-selected root CAs, they will receive security alert warnings informing them that the sites are not trusted.
- In Internet Explorer, under Certificates, any previous user-selected root CAs will no longer be listed under Trusted Root Certification Authorities.
If you don't want to disable trust of user-selected CA certificates for an entire domain, you can follow steps 4-7 for any Group Policy object that applies to all the computers for which you do want to have this trust disabled.

Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.