Active Directory Certificate Services - Auto-Enrollment/Certificate Enrollment Policy
Hi,
Consider the following scenario:
One Active Directory domain in one Active Directory forest Two Active Directory sites Two Active Directory Issuing CA`s, one in each site Version 2 Computer template published on both CA`s Auto-enrollment will be used for deploying Computer certificates
How can we control which CA the Auto-enrollment policy use for requesting Computer certificates?
We want to control that clients in site 1 requests certificates form CA 1, and clients in site 2 requests certificates from CA 2.
April 4th, 2011 7:13am
On Mon, 4 Apr 2011 11:08:05 +0000, scripter42 wrote:
How can we control which CA the Auto-enrollment policy use for requesting Computer certificates?
We want to control that clients in site 1 requests certificates form CA 1, and clients in site 2 requests certificates from CA 2.
The only way to accomplish this is to use two certificate templates and
then adjust the DACL on each certificate template. You'll need a two
groups, one for each site that contains all of the computers in the site
and then assign Read, Enroll, and Autoenroll as appropriate.
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
Why do we want intelligent terminals when there are so many stupid users?
Free Windows Admin Tool Kit Click here and download it now
April 4th, 2011 7:28am