We have added a certificate root server to our network to implement NAP. We use automatic certificate enrollment. The automatic enrollment GPO isn’t scoped to the administrator. The administrator account doesn’t have a roaming profile. Now that 802.1x is activated, when I login to a computer with 802.1x enabled, using the administrator account, the network connection gets blocked after the reauthentication, because the administrator doesn’t have a user certificate. I can’t link a GPO to the Build In User OU, in which the administrator account is located. Now I can add the administrator to the scope of the automatic enrollment GPO. But then the administrator gets a new certificate during every login to a computer, on which there wasn’t a user certificate enrolled yet to the local profile. Then I have to change the profile of the administrator to a roaming profile. Also I have to create and link a GPO to the administrator to prevent the Desktop and Startmenu and Documents to roam. To make this work I have to create a GPO with loopback processing, scoped to the administrator. But because the loopback policy is a Computer policy, I also have to add all the computers to the scope of this loopback GPO. Or I can also move the administrator account to an OU to which a GPO can be linked.
Or also I can stop using THE administrator account, disable the account as usually advised by Microsoft, and create a new user account with the same rights and privileges and add it to the User OU to get the certificate with auto enrollment and prevent the Desktop and Startmenu and Documents to roam.
I’m looking for advise and tips how you are solving this in your domain?