Solved

GPO deploy a user certificate to all users

Posted on 2013-06-26
6
803 Views
Last Modified: 2013-06-28
Hi all,

im trying to use GPO to deploy a user certificate (if they dont have one) to all my users, rather then the tedious method of getting them to use https://ca/certsrv to request one.

ive followed a few guides
http://www.w7cloud.com/auto-enrollment-of-user-certificate/
http://www.lockergnome.com/windows/2005/01/06/how-to-configure-group-policy-for-automatic-computer-certificate-enrollment/

But the certificate isnt deploying to my test user, (the gpo has applied though)

on thing i ahvent done is the recovery agent from one of those guides, i didnt see how it was relevant?

anyone have any ideas or have done this before?
Thanks
0
Comment
Question by:awilderbeast
  • 3
  • 3
6 Comments
 
LVL 14

Expert Comment

by:luconsta
Comment Utility
If your questions is "how to let user obtain a certificate from your local CA with less effort", I think the answer is by Configure Certificate Autoenrollment, because you cannot "deploy" something that do not exist (yet).
0
 
LVL 1

Author Comment

by:awilderbeast
Comment Utility
i have enabled autoenrollment as seen in that link previously, no certificate a yet (24 hours)

Thanks
0
 
LVL 14

Expert Comment

by:luconsta
Comment Utility
But did you configure any certificate templates? If not see here more details: Designing and Implementing a PKI: Part III Certificate Templates - also see in the template if you have "Autoenroll Allow" option checked.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 1

Author Comment

by:awilderbeast
Comment Utility
yeah done that, domain users set to enrol/autoenroll, i did the same as that guide already.

is there a way to debug this, see where its failing?

Thanks
0
 
LVL 14

Accepted Solution

by:
luconsta earned 500 total points
Comment Utility
Usually, the autoenrollment messages should be found in Application Event Log on the client machine - for more details see Microsoft site for Troubleshooting Certificate Autoenrollment.

But what kind of certificate do you expect to be "autoenrolled"?... because the default User Template (that should be duplicated in order to be able to check the Autoenrollment in the Security tab - because is available only to version 2 and up certificates) will have only the following Application policies:

Client Authentication
Encrypting File System
Secure Email

In your case what certificate do you expect to be autogenerated?... because, for example, the EFS certificate will not be issued until the user will use for the first time the EFS.
0
 
LVL 1

Author Comment

by:awilderbeast
Comment Utility
sorted!!

i was doing this in a test domain, and i had no email address on the user in AD, i enabled logging as per the above article and it comaplained about having a blank email!

all sorted!

Thanks
0

Featured Post

Integrate social media with email signatures

Is your company active on social media? Do you also use email signatures? Including social media icons in your email signature is a great way to get fans for free. Let all your email users know you’re on social media quickly and easily, in a single click.

Join & Write a Comment

What to do when Windows Update is not working correctly? What tools can I use to detect the cause of the malfunction problem? What does this numeric error code mean? These and other questions that you have been asking in the past are answered here (…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now