question

51892182 avatar image
0 Votes"
51892182 asked 51892182 commented

Group Policy for cert auto enrollment

146871-questiona.png


Policy A have filter limited to security group A
PC A is member of secuirty group A
Hi, i am not familiar in group prolicy, i try to simulate my company siuation as above
but not work,
1. does PC A can appliy Policy A? i tried, but not work
2. i suppose moving policy A to Top domain level should be work, but company does not such way
3. does any command can help to check ? i dont know why this work in existing production, but i can not simulate out
thank you



windows-group-policywindows-server-security
questiona.png (3.3 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

Crypt32 avatar image
0 Votes"
Crypt32 answered 51892182 commented

does PC A can appliy Policy A?

it cannot. Policy_A is applied to OU_A and OU_A does not contain object PC_A. As the result, GPO_A does not apply to PC_A. GPOs do not apply to groups.

i suppose moving policy A to Top domain level should be work

you need to apply Policy_A to OU_B where target objects reside.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Crypt32
i understant the concept you said, but i still cannot figure out how my company's policy can make auto enrollment happen
please allow me to ask more question here
148126-image.png



i rsop the result
1. does only enable Automatic certicate management is good enough to auto enroll?
2. "Enroll new cert, renew expired, process pending request and remove revoked", does it minds it supports update enrolled cert if renew, remove, hold for newing?
3. "update and manage cert that use cert template from AD", what means?
4. does this policy applied from "Default setting"? what policy exactlly ?

thank you





0 Votes 0 ·
image.png (16.2 KiB)
  1. Technically, yes. However you should enable both checkboxes in autoenrollment policy to enable automatic autoenrolled certificate renewal timely.

  2. Yes

  3. This setting allows to automatically renew manually requested certificates if template supports this.

  4. Default setting is setting client will use if no policy is configured.

Some time ago I wrote a new whitepaper on certificate autoenrollment in deep details: https://www.sysadmins.lv/blog-en/certificate-autoenrollment-in-windows-server-2016-summary.aspx. There is a downloadable PDF copy of the document.

1 Vote 1 ·

Thank you Crypt32

0 Votes 0 ·