This article applies to BHCE and BHE

The edge indicates that an IssuancePolicy has an OID group link to a group.

Certificate templates may include the IssuancePolicy as an issuance policy extension. Users authenticating using a certificate of such a certificate template will be granted access as a member of the group.

Abuse Info

An attacker may perform the ADCS ESC13 abuse which relies on the OID group link. This relationship alone is not enough to escalate rights or impersonate other principals.

Opsec Considerations

When an attacker abuses a privilege escalation or impersonation primitive that relies on this relationship, it will necessarily result in the issuance of a certificate. A copy of the issued certificate will be saved on the host that issued the certificate.