You can control which users can enroll for what kinds of certificates by editing the ACL of the certificate template. The ACL, or Access Control List, determines what type of access, if any, a user has to an object. Since each certificate template has an ACL you can change the default permission to grant or deny a user access.

You can edit the ACL of a certificate template using the steps outlined below:

1. Click Start, point to Programs, Administrative Tools, and click Active Directory Sites and Services.

2. Click the View menu and select the Show Services Node option.
3. Expand the Services container and expand Public key Services.
4. Click the Certificate Templates folder.
5. Right-click the appropriate template and click the Properties option.
6. Select the Security tab.
7. Ensure the appropriate users or groups have the Enroll permission to request the certificate type. If a user does not have the Enroll permission they will not be able to request a certificate of that specific type.
8. If you want to give users the ability to autoenroll for a certificate, you must assign the Autoenroll permission.