Delgating ADCS PKI management to non domain admin

There is Microsoft official documentation on how to do delegate Active Directory Certificate Service (Public Key Infrastructure) management to non domain admin, I used this procedure to delegate CA management on windows server 2019 so it's still relevant

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn786430(v=ws.11)

That's what I followed but what it doesn't tell you is what happen if after the delegation has been done the delegated users are unable to publish  new certificate template to issue. Well the answer is that the problem doesn't come from the delegation, it comes from the GUI, so you just need to use the Certutil command line tool to publish the new template. 

Built-in certutil.exe tool can be used to manage certificate templates on CA server locally or remotely:

1. Log on to CA server or computer with Remote Server Administration Tools installed with CA Administrator permissions;
2. Open elevated Command Prompt;
3. If you are logged on CA server, type:

   certutil -SetCaTemplates +<TemplateCommonName>

   Replace <TemplateCommonName> with actual template’s common name. 

 certutil -setcatemplates +WebServerwithClientAuth
0: WebServerwithClientAuth: Adding
CertUtil: -SetCATemplates command completed successfully.

 I found the solution came on Greig Sheridan blog 

https://greiginsydney.com/

The specific topic is here: 

https://greiginsydney.com/server-2016-unable-to-set-certificate-to-issue/?unapproved=34677&moderation-hash=f8f7e9758fa7c079b382568dcb0aee87

Delegate reset Active Directory password

Step 1: Start the Delegation of Control Wizard, select your user or group to delegate

Open the ADUC, find your domain tree and browse to the topmost level that you wish to apply user permissions (for example, 'Domain users' at my workplace), right-click > 'Delegate Control'.

At the Welcome dialog, click 'Next'.

At the Users or Groups dialog, click the 'Add...' button. You will be prompted to add a user or group to which you will apply delegated rights.

At the Select Users, Computers, or Groups dialog, either type the name of the object (use domain\username or domain\groupname for best results) or click 'Advanced'> 'Find' to locate your resource you wish to apply permissions to.

Once you've selected your resource(s), click 'OK' at the Select Users, Computers, or Groups dialog, then click 'Next' at the Users or Groups dialog.

Step 2: Delegate your task(s)

At the Tasks to Delegate dialog, you can select from a wide assortment of tasks to assign to your users.

***** If you ONLY want to delegate the reset password task ****
Verify that 'Delegate the following common tasks' radio button is ticked and select 'Reset user passwords and force password change at logon' and click the 'Next' button.

Continue to step 3.

**** If you additionally want to delegate the ability to enable/disable user accounts ****
Tic the 'Create a custom task to delegate' radio button and click the 'Next' button.

Tic the 'Only the following objects in the folder' radio button, and select 'User objects' and click the 'Next' button.

At the 'Permissions' dialog, select the 'General' and 'Property-specific' checkboxes and in the list below, check the following permissions:

Change Password
Reset Password
Read userAccountControl
Write userAccountControl

Click the 'Next' button.

Step 3: Complete the Delegation of Control Wizard

Once you've finished delegating your tasks, you can click the 'Finish' button at the Completing the Delegation of Control Wizard dialog.

Now the users you delegated these tasks to should be able to reset passwords (or perform other actions you specified) on the objects in the OU where you set up the delegated permissions.




Reference: https://community.spiceworks.com/how_to/1464-how-to-delegate-password-reset-permissions-for-your-it-staff

Powershell + DSACLS reset password

I used DSACLS inside powershell (I used  powershell V4)
I read from this blog post https://vbzine.wordpress.com/2011/05/14/dsacls-command-to-grant-domain-groups-password-reset-and-unlock-account-rights-to-specific-org-unit-ou/#comment-768
how to grant reset password rights for some specific OU using DSACLS but the syntax is wrong as the Write Property and Read Property are case sensitive and must be capitalized and the last quote need to be placed after the ;user and not before. Here is the correct syntax:

dsacls “OU=TeamA,dc=SWUG,dc=com,dc=sg” /I:S /G “swug\groupA:CA;Reset Password;user”
dsacls “OU=TeamA,dc=SWUG,dc=com,dc=sg” /I:S /G “swug\groupA:RPWP;PwdlastSet;user”
dsacls “OU=TeamA,dc=SWUG,dc=com,dc=sg” /I:S /G “swug\groupA:RPWP;lockoutTime;user”