Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Administrator account and a roaming profile

Posted on 2010-09-11
2
Medium Priority
?
837 Views
Last Modified: 2012-06-21
We have added a certificate root server to our network to implement NAP. We use automatic certificate enrollment. The automatic enrollment GPO isn’t scoped to the administrator. The administrator account doesn’t have a roaming profile. Now that 802.1x is activated, when I login to a computer with 802.1x enabled, using the administrator account, the network connection gets blocked after the reauthentication, because the administrator doesn’t have a user certificate. I can’t link a GPO to the Build In User OU, in which the administrator account is located. Now I can add the administrator to the scope of the automatic enrollment GPO. But then the administrator gets a new certificate during every login to a computer, on which there wasn’t a user certificate enrolled yet to the local profile. Then I have to change the profile of the administrator to a roaming profile. Also I have to create and link a GPO to the administrator to prevent the Desktop and Startmenu and Documents to roam. To make this work I have to create a GPO with loopback processing, scoped to the administrator. But because the loopback policy is a Computer policy, I also have to add all the computers to the scope of this loopback GPO.  Or I can also move the administrator account to an OU to which a GPO can be linked.

Or also I can stop using THE administrator account, disable the account as usually advised by Microsoft,  and create a new user account with the same rights and privileges and add it to the User OU to get the certificate with auto enrollment and prevent the Desktop and Startmenu and Documents to roam.

I’m looking for advise and tips how you are solving this in your domain?
0
Comment
Question by:NicoNL
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 4

Accepted Solution

by:
Sean_D76 earned 2000 total points
ID: 33655114
No experience with NAP but from reading this two things crossed my mind:
1.) You can't link a GPO to the Users folder where Administrator resides, BUT you can link the GPO at the top (domain level) and set the "Applies to" security option to be "Administrator" only.

2.) You don't have to auto-enroll just to get a cert. There is a manual way... check the IIS on your cert server but there is probably a new site there like /certserv or something.  Go to that page while logged in as administrator and I believe there is an option for enrolling yourself.

Furthermore, I'm a bit confused on why you think a new cert will be issued every time you login as admin unless you use roaming profiles.  The cert gets stored in AD with the user object and should not change on a per PC basis.  If it did you'd have serious problems with EFS files and such.   So really I think there would be no downside to letting the auto-enroll GPO affect the Administrator account as well.  Admittedly this is not one of my stronger areas though so maybe I'm missing something here?
0
 

Author Comment

by:NicoNL
ID: 33656113
Link the GPO at the top scoped only to the Administrator, yes that's indeed the way to push the auto enrollment to the administrator. Then I don't have to change the administrator's profile to roaming.

You made my day :-)
I just tested it and it works. Now I won't be having network verification errors on computers with 802.1x enabled, logged in as the administrator, great!

0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question