Solved

GPO deploy a user certificate to all users

Posted on 2013-06-26
6
808 Views
Last Modified: 2013-06-28
Hi all,

im trying to use GPO to deploy a user certificate (if they dont have one) to all my users, rather then the tedious method of getting them to use https://ca/certsrv to request one.

ive followed a few guides
http://www.w7cloud.com/auto-enrollment-of-user-certificate/
http://www.lockergnome.com/windows/2005/01/06/how-to-configure-group-policy-for-automatic-computer-certificate-enrollment/

But the certificate isnt deploying to my test user, (the gpo has applied though)

on thing i ahvent done is the recovery agent from one of those guides, i didnt see how it was relevant?

anyone have any ideas or have done this before?
Thanks
0
Comment
Question by:awilderbeast
  • 3
  • 3
6 Comments
 
LVL 14

Expert Comment

by:luconsta
ID: 39277520
If your questions is "how to let user obtain a certificate from your local CA with less effort", I think the answer is by Configure Certificate Autoenrollment, because you cannot "deploy" something that do not exist (yet).
0
 
LVL 1

Author Comment

by:awilderbeast
ID: 39277551
i have enabled autoenrollment as seen in that link previously, no certificate a yet (24 hours)

Thanks
0
 
LVL 14

Expert Comment

by:luconsta
ID: 39277593
But did you configure any certificate templates? If not see here more details: Designing and Implementing a PKI: Part III Certificate Templates - also see in the template if you have "Autoenroll Allow" option checked.
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 1

Author Comment

by:awilderbeast
ID: 39277609
yeah done that, domain users set to enrol/autoenroll, i did the same as that guide already.

is there a way to debug this, see where its failing?

Thanks
0
 
LVL 14

Accepted Solution

by:
luconsta earned 500 total points
ID: 39283825
Usually, the autoenrollment messages should be found in Application Event Log on the client machine - for more details see Microsoft site for Troubleshooting Certificate Autoenrollment.

But what kind of certificate do you expect to be "autoenrolled"?... because the default User Template (that should be duplicated in order to be able to check the Autoenrollment in the Security tab - because is available only to version 2 and up certificates) will have only the following Application policies:

Client Authentication
Encrypting File System
Secure Email

In your case what certificate do you expect to be autogenerated?... because, for example, the EFS certificate will not be issued until the user will use for the first time the EFS.
0
 
LVL 1

Author Comment

by:awilderbeast
ID: 39283980
sorted!!

i was doing this in a test domain, and i had no email address on the user in AD, i enabled logging as per the above article and it comaplained about having a blank email!

all sorted!

Thanks
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Understanding the various editions available is vital when you decide to purchase Windows Server 2012. You need to have a basic understanding of the features and limitations in each edition in order to make a well-informed decision that best suits y…
What to do when Windows Update is not working correctly? What tools can I use to detect the cause of the malfunction problem? What does this numeric error code mean? These and other questions that you have been asking in the past are answered here (…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question