What happens to the machine certificate of a workstation obtained by
autoenrollment when the workstation is later removed from the domain?

I thought the certificate would be revoked but it does not seem to work that
way. It looks like the certificate is still valid. Does this mean it has to
be revoked manually?

Thanks for your time

Hello,

Yes, you need to manually revoke the certificates. The revoke process is
described in the following link:

How To Enable Enrollment of a Certificate Type for a User or Computer
http://www.microsoft.com/technet/sec...secmod179.mspx

Any update, let us get in touch!

Best regards,

Rebecca Chen

MCSE2000 MCDBA CCNA


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>Thread-Topic: Certificate autoenrollment and domain removal
>thread-index: AcTX3JOzt6uLg/DoSEC0tplr5sCHzw==
>X-WBNR-Posting-Host: 207.35.124.110
>From: "=?Utf-8?B?UER1Zg==?=" <(E-Mail Removed)>
>Subject: Certificate autoenrollment and domain removal
>Date: Wed, 1 Dec 2004 11:33:04 -0800
>Lines: 8
>Message-ID: <340C5E8A-AF8E-4D55-AB8B-(E-Mail Removed)>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="Utf-8"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Newsgroups: microsoft.public.windowsxp.security_admin
>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
>Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl
>Xref: cpmsftngxa10.phx.gbl microsoft.public.windowsxp.security_admin:151514
>X-Tomcat-NG: microsoft.public.windowsxp.security_admin
>
>What happens to the machine certificate of a workstation obtained by
>autoenrollment when the workstation is later removed from the domain?
>
>I thought the certificate would be revoked but it does not seem to work
that
>way. It looks like the certificate is still valid. Does this mean it has
to
>be revoked manually?
>
>Thanks for your time
>

Thanks for your answer Rebecca

Your answer means that if I want to use certificates obtained by
autoenrollment to control access to my network with an IPSec policy or 802.1x
for wired networks, I have to remove a computer from the domain AND revoke
its certificate if I want to deny it access.

Thank you for your time

Hello,

You understanding is correct.

When a machine is removed from a domain or added to a new domain, all the
downloaded certificates from Active Directory will be removed and refreshed
if applicable. Certificates that were issued or autoenrolled from a
previous forest will not be removed unless the machine is a domain
controller. All client machines will automatically update certificates when
the domain or machine information changes. When machines or users have
certificates that are required for secure network communications, wireless
communications, and so on, it may be necessary to delete the old
certificates after joining a new domain or forest.

This is described in the following article, snippet " Removal of
Certificates on Domain Join/Change Domain".

Certificate Autoenrollment in Windows Server 2003
http://www.microsoft.com/technet/pro.../technologies/
security/autoenro.mspx

Therefore, it would be better you revoke or delete the certificates first
and then disjoin the domain.

Further questions, let us get in touch!

Best regards,

Rebecca Chen

MCSE2000 MCDBA CCNA


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>Thread-Topic: Certificate autoenrollment and domain removal
>thread-index: AcTYdxPCHIRfWbekSOKShYagC1i/lg==
>X-WBNR-Posting-Host: 207.35.124.110
>From: "=?Utf-8?B?UER1Zg==?=" <(E-Mail Removed)>
>References: <340C5E8A-AF8E-4D55-AB8B-(E-Mail Removed)>
<(E-Mail Removed)>
>Subject: RE: Certificate autoenrollment and domain removal
>Date: Thu, 2 Dec 2004 05:59:01 -0800
>Lines: 8
>Message-ID: <2DFA5CC9-E56E-47D1-8A5F-(E-Mail Removed)>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="Utf-8"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Newsgroups: microsoft.public.windowsxp.security_admin
>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
>Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
>Xref: cpmsftngxa10.phx.gbl microsoft.public.windowsxp.security_admin:151566
>X-Tomcat-NG: microsoft.public.windowsxp.security_admin
>
>Thanks for your answer Rebecca
>
>Your answer means that if I want to use certificates obtained by
>autoenrollment to control access to my network with an IPSec policy or
802.1x
>for wired networks, I have to remove a computer from the domain AND revoke
>its certificate if I want to deny it access.
>
>Thank you for your time
>