We have a functional NDES environment with PKI infrastructure, but we would like to not have the SCEP Administrator account be a member of the Domain Admin group for audting and security purposes. Are they any ways to configure the service accounts with different permissions on the CA to mitigate the risk and/or requirement for an account to be in the domain admin group.
I'm referencing an article in the requirements tab on page 3.
http://technet.microsoft.com/en-us/library/ff955646(v=ws.10).aspx
Thanks in advance for any assistance,
Steve Skwerski