Re: IAS and RAS server certificate enrollment

From: bdo <bdo.3a32rc@xxxxxxxxxxxxx>
Date: Tue, 27 May 2008 23:56:48 +0530

Thanks Brian!!! My permissions and GPO were correct, but rsop.msc
revealed another GPO that was overriding the computer autoenrollment
setting. (As a side note, that particular GPO setting is irritating. On
2003, once you set it, there doesn't seem to be a way to revert it back
to "not configured." Looks like that issue is fixed in 2008 though, and
that's how I worked around it.)

Brian Komar \(MVP\);3757222 Wrote:

1. Did you enable autoenrollment GPO for computers. It is a different
GPO
setting than for users
2. What are the permissions on the computer certificate template. Did
you
give the child domain\Domain COmputers group Read, Enroll, and
Autoenroll
permissions.

Run rsop.msc on the computer to determine the effective GPO settings
Brian

"bdo" <bdo.39w1zd@xxxxxxxxxxxxx> wrote in message
news:bdo.39w1zd@xxxxxxxxxxxxxxxx

Ok, shameless bump... Any ideas out there? I tested today on a

laptop

with Vista and got the same results. The user cert autoenrolls
perfectly, but no computer cert, yet I can enroll it through the

mmc.

So I'm starting to think it's a bug in my AD somewhere.

--
bdo

------------------------------------------------------------------------

bdo's Profile: http://forums.techarena.in/member.php?userid=50025
View this thread: http://forums.techarena.in/showthread.php?t=972722

http://forums.techarena.in

--
bdo
------------------------------------------------------------------------
bdo's Profile: http://forums.techarena.in/member.php?userid=50025
View this thread: http://forums.techarena.in/showthread.php?t=969571

http://forums.techarena.in

.

References:
- Child domain laptops autoenrolling user certs but not computer certs
  - From: bdo
- Re: Child domain laptops autoenrolling user certs but not computer certs
  - From: bdo
- Re: Child domain laptops autoenrolling user certs but not computer certs
  - From: Brian Komar \(MVP\)

Prev by Date: Re: Smart Card Logon RODC
Next by Date: Re: Allow non-Administrator to view and terminate processes for all users
Previous by thread: Re: Child domain laptops autoenrolling user certs but not computer certs
Next by thread: Retiring Certficate Authority
Index(es):
- Date
- Thread

Relevant Pages

Re: Loopback Processing
... As long as loopback is set in one GPO, ... >to be set in any other GPO that falls with the hierarchy? ... >why does it still apply the User Configuration settings. ... >>computer provided it has permissions to the GPO's. ...
(microsoft.public.windows.group_policy)
Re: dns administration delegation
... permissions that grant unnecessary rights. ... I wasn't aware of the GPO ... these admins full access to their local dns servers (which are also domain ...
(microsoft.public.windows.server.dns)
Re: dns administration delegation
... I'm more concerned about these admins to have the ... early in the deployment of DNS servers and then seldom if every ... permissions that grant unnecessary rights. ... I wasn't aware of the GPO ...
(microsoft.public.windows.server.dns)
Re: Computer componet of GP not being applied
... would expect that anything in the Computer Configuration portion of the GPO ... By "non-standard permissions", I mean what are the permissions on the GPO? ... If you look at the properties of the OU in which the Terminal Server resides ... > It all seems to be linked to the local user groups on the terminal server. ...
(microsoft.public.windows.group_policy)
Re: File System Security Setting Causes Slow Logon
... IMO the intent of filesystem ACLs in GPO is for only the very important ... > several machines at once so I put them all in an Organizational Unit, ... > (because it was setting the new NTFS permissions) but it worked. ... > assuming the cached settings on the machine need to be updated from the ...
(microsoft.public.security)