ADCS (PKI) - Cert Services DCOM Access Group membership

Question

We are having issues with an NDES service account not being able to connect to the CA over DCOM (RPC Server Unavailable). The behavior is as follows:

• If We add the service ID explicitly to the Certificate Services DCOM Access local group on the CA server, the connection works
• If we add [DOMAIN]\Domain Users to the group, the connection does not work.
• If we add Authenticated Users to the group, the connection works.

The Certificate Services DCOM Access local group is controlled by a tool that mimics group policy, but is not an actual GPO. The tool can only resolve domain accounts and groups, so Authenticated Users cant be enforced.

Is there any good reason that [DOMAIN]\Domain Users isnt working for us? My understanding is that the group is dynamic, and any account that is a member of [DOMAIN] is inherently a member of [DOMAIN]\Domain Users. We d really like to avoid having to add individual accounts to this local group as there are many and ever-changing.

Answer 1

It sounds like you're referring to an on-prem active directory issue.
Can you provide the docs that you're trying to follow?

I suggest posting your question against the active directory forums here : https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverds

As these forums are meant for Azure AD related issues.

More information on the Cert SErvices DCOM access group can be found here : https://morgansimonsen.com/2012/01/24/an-overview-of-groups-used-by-active-directory-certificate-services/