BLOG ��

Total found 1 articles on 2017-2-6.

電腦技術 2017-2-6 1:06:29

Windows Server - enroll user and computer certificate in AD

Auto enroll computer certificate:

Create a computer certificate template

Start->Run-> certtmpl.msc

Give the new certificate template a name, in my case, I named it “Computer AutoEnroll”

Now let’s publish this certificate template

Start->Run-> certsrv.msc

Select the “Computer AutoEnroll” certificate template

Create the group policy for auto enrollment

Start->Run-> gpmc.msc

Computer Configuration->Windows Settings->Security Settings->Public Key Policies->Certificate Services Client – Auto-Enrollment

Make sure the “Authenticated Users” or “Domain Computers” both have the Read, Enroll and Autoenroll permission since “authenticated Users” included all of the domain computers by default

Done, just using gpupdate /force command to push out the new policy. And you have to reboot the client computer to get the computer certificate since computer policy only take effect when the computer boot up.

After reboot, you can use the local computer certificate store to check your certificate: Start->Run->MMC->File->Add remove snap in->Certificate->Computer account

You can always using the new quick way I mentioned before in Windows Server 2012 or using the way here in Window Server 2008 by just Start->Run->certlm.msc
Auto enrollment of user certificate in AD

Create a user certificate template

Start->Run-> certtmpl.msc

Give it a name: “User Auto Enroll”

Make sure the “Enroll subject without requiring any user input” has been selected

Make sure the Authenticated Users or Domain Users has the below permission

Publish the new user certificate template

Select the “User AutoEnroll” certificate template

Create the group policy for auto enrollment

User Configuration->Windows Settings->Security Settings->Public Key Policies->Certificate Services Client – Auto-Enrollment

Now run gpupdate /force and logout and log back in, check the user certificate store by Start->Run->certmgr.msc