Autoenrolment GPO Bug Server 2003

Posted: December 19, 2011 in Uncategorized

Autoenrolment GPO Issue in 2003

There are 4 settings in a 2003 GPO that affect Autoenrolment:-

1. Do not enroll certificates automatically
2. Enroll Certificates Automatically
a Renew expired certificates, update pending certificates, and remove revoked certificates
b Update certificates that use certificate templates

The first is self explanatory however the second does not always work as advertised. It is common to create a GPO at the root of your domain and enforce it. In doing so the settings contained are enforced throughout the domain no matter what GPOs you may put in lower down. It is also common to apply your autoenrolment settings here ensuring that anything you set up for autoenrolment on the certificate templates can receive their certificates without further issue.

The problem occurs if you tick option 2 without the 2 suboptions a and b. The setting does not get applied and any GPO further down the tree that touches these settings will take precedence. Oddly if you then tick a and b then untick them the setting does work and the enforced GPO works.

This can lead to some very odd behaviour with admins setting all 3 lower down with initial success to find later that re-enrolement dissapear whith no apparent change in policy.

It can also lead to severe head scratching as you try to work out why the enforced policy does not appear to be taking precedence


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s