Hi, I have a Windows 2003 Enterprise CA environment in a Windows 2008 R2, SP domain that we use both for generating web certificates and EFS certs as well as we've created a template for user certificates. We have users broken into two major groups; "studentsall" and "staffall". I assigned auto-enroll rights to the staffall group and the domain users group has enroll rights (default setting). I then set up auto-enroll in GP (following the basic steps in http://technet.microsoft.com/en-us/library/cc700804.aspx), applying it at the domain level (the student OU blocks inheritance and it's not applied lower down in the OU structure). Initially this worked well as only staff members were getting the user certificate, but I go the occasional error in the logs on service accounts that didn't have email addresses (the certificate template included the email address which generated the error when trying to enroll the certificates). While troubleshooting a different issue with certificates I removed the email portion of the certificates to prevent the error messages. Subsequently student accounts were getting issued certificates (I hadn't see errors for trying to enroll them previously so this was unexpected). I re-checked the group policy and permissions and again the only thing I could see that allows students to get certificates is they are part of the domain users, but since this group doesn't have auto-enroll rights it was unclear how these were getting issued. As a workaround I set deny enroll on the studentall groups and deleted existing certs for these accounts whic is preventing them from getting certificates. However, this is a workaround and I was wondering if anyone had an idea of why they were getting issued certificates and where I might look. Thanks for any thoughts/ideas, Chris

Hi Chris As a workaround I set deny enroll on the studentsall groups and deleted existing certs for these accounts whic is preventing them from getting certificates. Not sure if it's same as I thought. I recommend to add studentsall groups deny auto-enroll & enroll rights in certificate template. Not setup deny rights in GPO.Regards, Rick Tan