Installation of the default certificate templates fails with error message "This security ID may not be assigned as the owner of this object."

Assume the following scenario:

• For the first time, a certification authority (Enterprise Certification Authority) integrated into Active Directory is to be installed in the network.
• The rights to install the certificate authority have been delegated to a separate security group or account for security reasons, so no Enterprise Administrator login is required. Put another way: The user used is not a member of the Enterprise Administrators group in the Active Directory forest.
• Since this is the first certification authority in the network, no Standard certificate templates installed in the Active Directory. When opening the certificate template management console (certtmpl.msc), one is prompted to install it.
• The installation fails with the following error message:

Windows could not install the new certificate templates. This security ID may not be assigned as the owner of this object.

When trying to install the default certificate templates via certutil, a similar error message appears:

CertUtil: -InstallDefaultTemplates command FAILED: 0x8007051b (WIN32: 1307 ERROR_INVALID_OWNER)
CertUtil: This security ID may not be assigned as the owner of this object.

Cause

The installation of the default certificate templates must be performed once by an account with Enterprise Administrator privileges, since the Restore Files and Directories privilege on domain controllers is required to create the default certificate templates.

The creation of the default certificate templates can be done with the following command:

certutil -installdefaulttemplates

This command can also be executed by a domain controller without installing additional software, as it is part of the standard Windows operating system delivery.

However, it must be ensured that the command is executed with elevated rights (Run as Administrator), otherwise the error message ERROR_DS_INSUFF_ACCESS_RIGHTS is reported.

CertUtil: -InstallDefaultTemplates command FAILED: 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)
CertUtil: Insufficient access rights to perform the operation.

Related links:

• (Re-)Installing the Microsoft Standard Certificate Templates

External sources

• Delegated Installation for an Enterprise Certification Authority (Microsoft Corporation)
• Error loading default templates on new Enterprise Root CA (Microsoft TechNet Forums)