Allow subjects to request a certificate that is based on the template

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2


To allow subjects to request a certificate that is based on the template

  1. Open Certificate Templates.

  2. In the details pane, right-click the certificate template that you want to change, and then click Properties.

  3. On the Security tab, add the groups, computers, or users that you want.

  4. In Group or user names, click one of the new objects, and then, on Permissions for ObjectName, under the Allow column, select the Read and Enroll check boxes.

  5. Repeat the previous step for each new object.


  • To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.

  • To open Certificate Templates, click Start, click Run, type certtmpl.msc, and then press Enter.

  • The Autoenroll permission must also be set if the subject will be using client autoenrollment to obtain certificates. For more information on autoenrollment, see Related Topics.

  • To disallow subjects from requesting a certificate based on a template, clear the Read and Enroll check boxes using the same steps as above.

See Also


Add a certificate template to a certification authority
Re-enroll all certificate holders
Allowing for autoenrollment