G
Guest
I have enabled EFS and set group policies however users are not autoenrolling
efs certificates.
If I look on on the CA, there are issued certificates for some users but not
others. This does not seem dependant on the OU the user
is in as a user in a particular OU has been issued a certificate while
another has not.
If I want the user to have a certificate, I have to manually create it using
the Certificates mmc.
All end users using Win XP Pro sp2
Infrastructure:
Windows 2000 DC with 2000 AD
Installed Ent CA onto Windows 2003 Standard member server
Created Offline folder encryption group policy and redirection of My
Documents to network share - working correctly
Created all RAs
My default Domain policy contains the PKI settings:
Policy Setting
Enroll certificates automatically Enabled
Renew expired certificates, update pending certificates, and remove revoked
certificates Enabled
Update certificates that use certificate templates Enabled
Allow users to encrypt files using Encrypting File System (EFS) Enabled
Public Key Policies/Trusted Root Certification Authorities
Policy Setting
Allow users to select new root certification authorities (CAs) to
trust Enabled
Client computers can trust the following certificate stores:
Third-Party Root Certification Authorities and Enterprise Root Certification
Authorities
To perform certificate-based authentication of users and computers, CAs must
meet the following criteria:
Registered in Active Directory only
On the Ent CA (added to Cert Publishers group):
Certificate templates.
Basic EFS template - min supported is Windows 2000. Auto enrollment not
allowed
Properties have Publish Cert in AD checked but grayed out
Security has Authenticated users Read/ Enroll
Domain Admins Read/ Write / Enroll
Domain Users Read/ Enroll
Ent Admins Read/ Write / Enroll
Certificate Authority has Basic EFS installed.
What am I missing? Is it because I have a mix of 2003/ 2000?
Thanks
efs certificates.
If I look on on the CA, there are issued certificates for some users but not
others. This does not seem dependant on the OU the user
is in as a user in a particular OU has been issued a certificate while
another has not.
If I want the user to have a certificate, I have to manually create it using
the Certificates mmc.
All end users using Win XP Pro sp2
Infrastructure:
Windows 2000 DC with 2000 AD
Installed Ent CA onto Windows 2003 Standard member server
Created Offline folder encryption group policy and redirection of My
Documents to network share - working correctly
Created all RAs
My default Domain policy contains the PKI settings:
Policy Setting
Enroll certificates automatically Enabled
Renew expired certificates, update pending certificates, and remove revoked
certificates Enabled
Update certificates that use certificate templates Enabled
Allow users to encrypt files using Encrypting File System (EFS) Enabled
Public Key Policies/Trusted Root Certification Authorities
Policy Setting
Allow users to select new root certification authorities (CAs) to
trust Enabled
Client computers can trust the following certificate stores:
Third-Party Root Certification Authorities and Enterprise Root Certification
Authorities
To perform certificate-based authentication of users and computers, CAs must
meet the following criteria:
Registered in Active Directory only
On the Ent CA (added to Cert Publishers group):
Certificate templates.
Basic EFS template - min supported is Windows 2000. Auto enrollment not
allowed
Properties have Publish Cert in AD checked but grayed out
Security has Authenticated users Read/ Enroll
Domain Admins Read/ Write / Enroll
Domain Users Read/ Enroll
Ent Admins Read/ Write / Enroll
Certificate Authority has Basic EFS installed.
What am I missing? Is it because I have a mix of 2003/ 2000?
Thanks