Cert Publisher’s

2017-12-01T15:09:36+00:00 February 7th, 2012|Cloud|

Recently I was implementing a new PKI on a customer’s site.

They had a single forest with 6 child domains, some of the domains dated back to 2000 and so the “Cert Publisher’s” group was defined as a Global Group.
We need to add the computer account of the issuing CA’s to the Cert Publisher’s group in each child domain and so need the group to be a “domain local” group scope.
I used the following script to complete this as it is not possible to change within the gui of “Active Directory Users and Computers”

Set grp = GetObject(“LDAP://CN=Cert Publishers,CN=Users,DC=sub,DC=example,DC=com”)
grp.Put “groupType”,”-2147483640″
grp.Put “groupType”,”-2147483644″
Changing the DC=sub for each domain

Save the above in a .vbs file and run within an elevated command prompt.