> ## Documentation Index > Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt > Use this file to discover all available pages before exploring further. # IssuancePolicy Applies to BloodHound Enterprise and CE ## Representation The IssuancePolicy node represents the Active Directory LDAP objects of the *msPKI-Enterprise-Oid* class located in the *OID* container in the Configuration Naming Context. ## Node properties The node supports the properties of the table. Three types of property names will be used, depending on where the property is found: * **Entity Panel:** Name shown in the BloodHound UI. * **Database:** Name stored in the BloodHound database and returned by the BloodHound API. This is to be used when running Cypher queries. * **Directory:** Name collected from the directory the node is stored in, for example, the LDAP name for an Active Directory property. | | | | | | ---------------------------- | ----------------- | ----------------------- | ---------------------------------------------------------------------------------------------- | | **Entity Panel** | **Database** | **Directory** | **Description** | | Object ID | objectid | objectGUID | The object's unique identifier in the directory. | | ACL Inheritance Denied | isaclprotected | nTSecurityDescriptor | Whether inherited permissions (ACEs) from containers are blocked on this object. | | Certificate Template OID | certtemplateoid | msPKI-Cert-Template-OID | The OID string used in certificate templates to reference this issuance policy. | | Created | whencreated | whenCreated | When the object was created in the directory. | | Distinguished Name | distinguishedname | distinguishedName | The name of the object and it's location in AD. | | Domain FQDN | domain | - | The fully qualified domain name (FQDN) of the domain the object belongs to. | | Domain SID | domainsid | - | The SID of the domain the object belongs to. | | Last Collected by BloodHound | lastcollected | - | The most recent time the object was collected and ingested in BloodHound. | | Last Seen by BloodHound | lastseen | - | The most recent time the object or a reference to it was collected and ingested in BloodHound. | | - | name | name + domain name | Name of the object + @ + the name of the domain. | ## Edges The following edge types may be linked to/from this node. See the [edges documentation](/resources/edges) for more information on the edge types. ### Incoming edges | | | | ---------------- | ------------------------------------ | | **Edge type** | **Entity panel category** | | GenericAll | Inbound Object Control | | GenericWrite | Inbound Object Control | | Owns | Inbound Object Control | | WriteDacl | Inbound Object Control | | WriteOwner | Inbound Object Control | | ExtendedByPolicy | Certificate Templates with Extension | ### Outgoing edges | | | | ------------- | ------------------------- | | **Edge type** | **Entity panel category** | | OIDGroupLink | OID Group Link | ## References * [ADCS ESC13 Abuse Technique](https://specterops.io/blog/2024/02/14/adcs-esc13-abuse-technique/) * [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd378897\(v=ws.10\)?redirectedfrom=MSDN) * [Use Authentication Mechanism Assurance (AMA) to secure administrative account login](https://www.gradenegger.eu/en/using-authentication-mechanism-assurance-ama-to-secure-the-login-of-administrative-accounts/)