EFS Auto enroll

I have enabled EFS and set group policies however users are not autoenrolling
efs certificates.
If I look on on the CA, there are issued certificates for some users but not
others. This does not seem dependant on the OU the user
is in as a user in a particular OU has been issued a certificate while
another has not.

If I want the user to have a certificate, I have to manually create it using
the Certificates mmc.
All end users using Win XP Pro sp2

Infrastructure:

Windows 2000 DC with 2000 AD

Installed Ent CA onto Windows 2003 Standard member server

Created Offline folder encryption group policy and redirection of My
Documents to network share - working correctly

Created all RAs

My default Domain policy contains the PKI settings:

Policy Setting

Enroll certificates automatically Enabled
Renew expired certificates, update pending certificates, and remove revoked
certificates Enabled
Update certificates that use certificate templates Enabled
Allow users to encrypt files using Encrypting File System (EFS) Enabled


Public Key Policies/Trusted Root Certification Authorities
Policy Setting
Allow users to select new root certification authorities (CAs) to
trust Enabled
Client computers can trust the following certificate stores:

Third-Party Root Certification Authorities and Enterprise Root Certification
Authorities

To perform certificate-based authentication of users and computers, CAs must
meet the following criteria:

Registered in Active Directory only


On the Ent CA (added to Cert Publishers group):

Certificate templates.

Basic EFS template - min supported is Windows 2000. Auto enrollment not
allowed
Properties have Publish Cert in AD checked but grayed out
Security has Authenticated users Read/ Enroll
Domain Admins Read/ Write / Enroll
Domain Users Read/ Enroll
Ent Admins Read/ Write / Enroll

Certificate Authority has Basic EFS installed.

What am I missing? Is it because I have a mix of 2003/ 2000?


Thanks


.

Relevant Pages

  • Re: Recovery Agent configured in GPO, but cannot see it in Encrypt
    ... details as that rsop.msc shows the computer displays the RA, the certificates ... EFS enabled, ... Group Policy settings can be forced to refresh ... because of domain Group Policy configuration you may have a problem with DNS ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Where is the 2k/XP certificate store in the registry?
    ... what you are describing is true for all certificate purposes but EFS. ... desktop so when I have my certificate on smart card it can't ask me for PIN ... Please insert USB or smart card for EFS certificates... ... > Does anyone know where in the Registry the local machine and personal ...
    (microsoft.public.windowsxp.security_admin)
  • Credential Roaming + EFS - how to cleanup user certificates ?
    ... Reason being that 25 certificates existed for that user which was too much ... we found that almost all users have multiple EFS ... Credential roaming is enabled and EFS is used for Offline files for all ... We are wondering if the EFS certificate template settings are correct. ...
    (microsoft.public.security)
  • Re: Data security question in MCSE 70-270 exam
    ... So if a laptop is pinched with EFS files on it and one of the password ... YOu install the certificates on a PC Smart Card that is ...
    (microsoft.public.win2000.security)
  • Re: EFS/DRA
    ... or I completely misunderstand EFS. ... I have turned off the self-signed certificates on a few XP machines (using ... Bottom line, I want to encrypt a file on my machine, add a user with ... Associated with the user is a Cert Thumbprint. ...
    (microsoft.public.security)