Solved

GPO deploy a user certificate to all users

Posted on 2013-06-26
6
805 Views
Last Modified: 2013-06-28
Hi all,

im trying to use GPO to deploy a user certificate (if they dont have one) to all my users, rather then the tedious method of getting them to use https://ca/certsrv to request one.

ive followed a few guides
http://www.w7cloud.com/auto-enrollment-of-user-certificate/
http://www.lockergnome.com/windows/2005/01/06/how-to-configure-group-policy-for-automatic-computer-certificate-enrollment/

But the certificate isnt deploying to my test user, (the gpo has applied though)

on thing i ahvent done is the recovery agent from one of those guides, i didnt see how it was relevant?

anyone have any ideas or have done this before?
Thanks
0
Comment
Question by:awilderbeast
  • 3
  • 3
6 Comments
 
LVL 14

Expert Comment

by:luconsta
ID: 39277520
If your questions is "how to let user obtain a certificate from your local CA with less effort", I think the answer is by Configure Certificate Autoenrollment, because you cannot "deploy" something that do not exist (yet).
0
 
LVL 1

Author Comment

by:awilderbeast
ID: 39277551
i have enabled autoenrollment as seen in that link previously, no certificate a yet (24 hours)

Thanks
0
 
LVL 14

Expert Comment

by:luconsta
ID: 39277593
But did you configure any certificate templates? If not see here more details: Designing and Implementing a PKI: Part III Certificate Templates - also see in the template if you have "Autoenroll Allow" option checked.
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 
LVL 1

Author Comment

by:awilderbeast
ID: 39277609
yeah done that, domain users set to enrol/autoenroll, i did the same as that guide already.

is there a way to debug this, see where its failing?

Thanks
0
 
LVL 14

Accepted Solution

by:
luconsta earned 500 total points
ID: 39283825
Usually, the autoenrollment messages should be found in Application Event Log on the client machine - for more details see Microsoft site for Troubleshooting Certificate Autoenrollment.

But what kind of certificate do you expect to be "autoenrolled"?... because the default User Template (that should be duplicated in order to be able to check the Autoenrollment in the Security tab - because is available only to version 2 and up certificates) will have only the following Application policies:

Client Authentication
Encrypting File System
Secure Email

In your case what certificate do you expect to be autogenerated?... because, for example, the EFS certificate will not be issued until the user will use for the first time the EFS.
0
 
LVL 1

Author Comment

by:awilderbeast
ID: 39283980
sorted!!

i was doing this in a test domain, and i had no email address on the user in AD, i enabled logging as per the above article and it comaplained about having a blank email!

all sorted!

Thanks
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Every now and then, Microsoft does something that totally impresses me. It doesn't happen often, but in this case I must say I am thoroughly impressed with Windows Server Backup. One of the long time issues with Windows Backup has been the ability t…
The article will show you how you can maintain a simple logfile of all Startup and Shutdown events on Windows servers and desktops with PowerShell. The script can be easily adapted into doing more like gracefully silencing/updating your monitoring s…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…

948 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now