Push Domain User certificate via Group Policy.

Afiniti Exchange AD
Afiniti Exchange AD used Ask the Experts™
on
Push Domain User certificate via Group Policy, any impact?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
AlexSenior Infrastructure Analyst

Commented:
Yeah, on all users.....

Can you be a bit more specific, if you push a user profile via group policy, it'll apply on all users the policy is applied to in the OU you assign it to. Which is exactly what it's meant to do.

What's the GPO doing?

Author

Commented:
We need push Internal CA user certificates.
AlexSenior Infrastructure Analyst
Commented:
Right,

I mean if they are CA certificates, they are normally computer based certificates. What are the certificates used for?

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/distribute-certificates-to-client-computers-by-using-group-policy
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
These are Domain User certificates. that users will be using accessing Wifi services using EAP/TLS.
AlexSenior Infrastructure Analyst
Commented:
Well if that's by design, you follow the best practice guides, then push out the certificate to multiple machines, then yes that should work.

You asked if it would impact, the answer is test your group policy on a small subset PRIOR to pushing out to everyone else. Things in the wild are exactly that, wild, sometimes things go wrong.

Small subset, then roll out.
Sr. Systems Administrator
Commented:
You don't "push out" user or Computer Certificates, you push an enrollment policy. The users will then be automatically enrolled and receive a certificate from the CA. As far as impact, no, there is no impact to users for this. May take a few days to get them all enrolled depending on the number of users. All they will do is get a certificate from your internal CA and place it in the Users Certificate Store. We do the same thing with Computer Certificates for DirectAccess.
  As far as Alex's advice, yes always better to test any policy on a small group. I would recommend a test OU with a few people or initially filtering the policy for a small group of users just to be sure it works the way you want. If it works, you can remove the group filter and set it for Authenticated User again (or assign it to the OUs you want depending on how you test it)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial