Configuring Group Policy

Applies To: Windows Server 2003 with SP1

This section shows how to configure the Group Policy settings for a site, domain, or organizational unit (OU).

How to Configure Group Policy

Group Policy settings for a site, domain, or OU must be configured to enable certificate autoenrollment in a domain.

To configure Group Policy

1. Open the Active Directory Users and Computers MMC snap-in.

2. Right-click the site, domain, or OU that you want to configure Group Policy for, and then click Properties.

3. Click the Group Policy tab, and then click Edit (Figure 6).

   Figure 6: Selecting Group Policy Configuration Options

   Note

   Machine policy for automatic enrollment of machine and domain controller certificates is configured identically, even though it is controlled through the machine policy of a Group Policy object.

4. Click User Configuration, Windows Settings, Security Settings, and finally Public Key Policies. In Object Type, right-click Autoenrollment Settings (Figure 7), and then click Properties.

   Figure 7: Selecting Autoenrollment Settings

5. Ensure that Enroll certificates automatically is selected as well as the two check boxes under this option (Figure 8). Automatic renewal, certificate cleanup, and publishing in Active Directory are only enabled with all options selected.

   Note

   Both machine and user policy must be configured to enable certificate enrollment for both types.

   Figure 8: Selecting Autoenrollment Settings

6. Click OK.

   Autoenrollment is now enabled.