Solved

GPO deploy a user certificate to all users

Posted on 2013-06-26
6
811 Views
Last Modified: 2013-06-28
Hi all,

im trying to use GPO to deploy a user certificate (if they dont have one) to all my users, rather then the tedious method of getting them to use https://ca/certsrv to request one.

ive followed a few guides
http://www.w7cloud.com/auto-enrollment-of-user-certificate/
http://www.lockergnome.com/windows/2005/01/06/how-to-configure-group-policy-for-automatic-computer-certificate-enrollment/

But the certificate isnt deploying to my test user, (the gpo has applied though)

on thing i ahvent done is the recovery agent from one of those guides, i didnt see how it was relevant?

anyone have any ideas or have done this before?
Thanks
0
Comment
Question by:awilderbeast
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 14

Expert Comment

by:luconsta
ID: 39277520
If your questions is "how to let user obtain a certificate from your local CA with less effort", I think the answer is by Configure Certificate Autoenrollment, because you cannot "deploy" something that do not exist (yet).
0
 
LVL 1

Author Comment

by:awilderbeast
ID: 39277551
i have enabled autoenrollment as seen in that link previously, no certificate a yet (24 hours)

Thanks
0
 
LVL 14

Expert Comment

by:luconsta
ID: 39277593
But did you configure any certificate templates? If not see here more details: Designing and Implementing a PKI: Part III Certificate Templates - also see in the template if you have "Autoenroll Allow" option checked.
0
Why You Need a DevOps Toolchain

IT needs to deliver services with more agility and velocity. IT must roll out application features and innovations faster to keep up with customer demands, which is where a DevOps toolchain steps in. View the infographic to see why you need a DevOps toolchain.

 
LVL 1

Author Comment

by:awilderbeast
ID: 39277609
yeah done that, domain users set to enrol/autoenroll, i did the same as that guide already.

is there a way to debug this, see where its failing?

Thanks
0
 
LVL 14

Accepted Solution

by:
luconsta earned 500 total points
ID: 39283825
Usually, the autoenrollment messages should be found in Application Event Log on the client machine - for more details see Microsoft site for Troubleshooting Certificate Autoenrollment.

But what kind of certificate do you expect to be "autoenrolled"?... because the default User Template (that should be duplicated in order to be able to check the Autoenrollment in the Security tab - because is available only to version 2 and up certificates) will have only the following Application policies:

Client Authentication
Encrypting File System
Secure Email

In your case what certificate do you expect to be autogenerated?... because, for example, the EFS certificate will not be issued until the user will use for the first time the EFS.
0
 
LVL 1

Author Comment

by:awilderbeast
ID: 39283980
sorted!!

i was doing this in a test domain, and i had no email address on the user in AD, i enabled logging as per the above article and it comaplained about having a blank email!

all sorted!

Thanks
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ntp server 15 80
EXCH2013 Public Folder creation 1 49
Chrome does not work from a remote desktop session 6 104
Extend C: drive space - Vmware 2 40
Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
The article will show you how you can maintain a simple logfile of all Startup and Shutdown events on Windows servers and desktops with PowerShell. The script can be easily adapted into doing more like gracefully silencing/updating your monitoring s…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question