?
Solved

GPO deploy a user certificate to all users

Posted on 2013-06-26
6
Medium Priority
?
818 Views
Last Modified: 2013-06-28
Hi all,

im trying to use GPO to deploy a user certificate (if they dont have one) to all my users, rather then the tedious method of getting them to use https://ca/certsrv to request one.

ive followed a few guides
http://www.w7cloud.com/auto-enrollment-of-user-certificate/
http://www.lockergnome.com/windows/2005/01/06/how-to-configure-group-policy-for-automatic-computer-certificate-enrollment/

But the certificate isnt deploying to my test user, (the gpo has applied though)

on thing i ahvent done is the recovery agent from one of those guides, i didnt see how it was relevant?

anyone have any ideas or have done this before?
Thanks
0
Comment
Question by:awilderbeast
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 14

Expert Comment

by:luconsta
ID: 39277520
If your questions is "how to let user obtain a certificate from your local CA with less effort", I think the answer is by Configure Certificate Autoenrollment, because you cannot "deploy" something that do not exist (yet).
0
 
LVL 1

Author Comment

by:awilderbeast
ID: 39277551
i have enabled autoenrollment as seen in that link previously, no certificate a yet (24 hours)

Thanks
0
 
LVL 14

Expert Comment

by:luconsta
ID: 39277593
But did you configure any certificate templates? If not see here more details: Designing and Implementing a PKI: Part III Certificate Templates - also see in the template if you have "Autoenroll Allow" option checked.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:awilderbeast
ID: 39277609
yeah done that, domain users set to enrol/autoenroll, i did the same as that guide already.

is there a way to debug this, see where its failing?

Thanks
0
 
LVL 14

Accepted Solution

by:
luconsta earned 2000 total points
ID: 39283825
Usually, the autoenrollment messages should be found in Application Event Log on the client machine - for more details see Microsoft site for Troubleshooting Certificate Autoenrollment.

But what kind of certificate do you expect to be "autoenrolled"?... because the default User Template (that should be duplicated in order to be able to check the Autoenrollment in the Security tab - because is available only to version 2 and up certificates) will have only the following Application policies:

Client Authentication
Encrypting File System
Secure Email

In your case what certificate do you expect to be autogenerated?... because, for example, the EFS certificate will not be issued until the user will use for the first time the EFS.
0
 
LVL 1

Author Comment

by:awilderbeast
ID: 39283980
sorted!!

i was doing this in a test domain, and i had no email address on the user in AD, i enabled logging as per the above article and it comaplained about having a blank email!

all sorted!

Thanks
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolve DNS query failed errors for Exchange
This article explains how to install and use the NTBackup utility that comes with Windows Server.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question