Windows server 2019 - minimal permissions to allow certmgr.msc (local) to connect to server for read cert store access
I'm trying to figure out what userrights or group membership would be necessary to allow normal built-in\users read-access to a remote server's certificate store via certmgr.msc (or "manage computer certificates"). As seen below, one of the users I had test from their laptop opened certmgr and selected "connect to another server", but then received "you do not have permissions to manage the certifcate store". The only thing I've seen is possibly adding registry permissions so they can query, but that was from a pretty old winsrv2012 article that was more towards using posh to query. I'd just prefer admins not have to stop and check server cert stores, since I'm not supposed to allow everyone RDP access.
Windows stores LocalMachine certificates in the registry, so your users need access to connect to the Remote Registry service, and the service must be running. By default, only Administrators and the Backup Operators group have permission.
To give access to other users:
- open regedit as admin
- Locate the following key:
HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg - Right-click winreg, click Permissions, and then edit the current permissions or add the users or groups to whom you want to grant access.
- then restart Windows.
It looks like you can give ReadKey rights for read-only access.
Also note that the windows cert store allows all users to read the public certificate information, but only Administrators and SYSTEM can read/export the private keys. This can be adjusted per-certificate in certlm.msc by right-click the cert > All Tasks > Manage Private Keys.
- NTFS vs FAT32 Search Time
- what happens during context switch between two processes in linux?
- shutil moving only one file instead of many files in a directory
- Problems with os.rename | OSError: [WinError 123]
- How do you run a python script when an app runs
- Where is SYSCALL() implemented in Linux?
- Process VS thread : can two processes share the same shared memory ? can two threads?
- Difference between processes running in kernel mode and running as root?
- Detect Windows version in .NET
- UEFI Shell Is Unresponsive
- Is it possible to binary patch an uncritical compare instruction of /boot/vmlinuz and make it run as normal?
- Exec function in c is not running
- Detect MacOS arm64 and x86/x64 in Java
- What does the concept of "worker" mean in programming?
- Are function callback and interprocess communication are same?
- How can I check whether a memory address is writable or not at runtime?
- How to get detailed Windows OS namestring, version and kernel-version via win32 API?
- How would a system tray application be accomplished on other platforms?
- Hardware interrupt when Power Button pressed?
- What's the difference between "riscv64-unknown-elf-gcc" and "riscv64-linux-gnu-gcc"
- pyqt4: Open website in standard browser on button click
- How to copy files in Python without `os.rename` or `shutil`?
- Are two sockets not allowed to use the same port?
- What is the number for the standard VESA video mode 1920x1080x24bpp?
- unlocking the system preferences is not working
- How to import using a path that is a variable in Python
- Git core.autocrlf line ending default setting
- Who decides the sizeof any datatype or structure (depending on 32 bit or 64 bit)?
- Attempt to parallelize the summation of natural numbers from 1 to N happens to lower computing speed instead?
- Python: Detect Android