Configure Public Key Group Policy

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

You can use the Group Policy MMC snap-in to configure the following optional categories of public key Group Policy for sites, domains, and organizational units:

  • EFS Recovery Agents. By default, the local Administrator user account for the first domain controller installed in the domain is the EFS recovery account for that domain. You can specify alternate encrypted data recovery agents for EFS by importing into the policy the EFS recovery agent certificate for the appropriate alternate agent. You must first issue EFS recovery agent certificates to the user accounts on the local computers that you want to use as alternate recovery agents.

  • Automatic Certificate Enrollment. You can specify automatic enrollment and renewal for computer certificates. When automatic enrollment is configured, the specified certificate types are issued to all computers within the scope of the public key Group Policy. Computer certificates issued by means of automatic enrollment are renewed from the issuing CA. Automatic enrollment does not function unless at least one enterprise CA is on line to process certificate requests.

In addition, you can use Group Policy to configure a number of CA trust options. Group Policy trust is configured and enforced within a single domain only. This allows different users in different domains to trust different root CAs.

When possible, manage trust of third-party root certification authorities by using Group Policy, and limit their scope by using qualified subordination. Third-party root CAs can be constrained by namespace and purpose to prevent unwanted trust and namespace violations within the organization.

Group Policy trust configuration is found in the computer policy for \Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities. Users inherit policy from the computer policy. You can enable all computers and users to trust a root CA by adding the root CA certificate to Group Policy.

You can configure the following alternate trust options by selecting the Trusted Root Certification Authorities node in the Domain Security Policy MMC snap-in:

  • Enable or disable the ability for users to trust root CAs on a per-user basis. Use this option to disable users from trusting a root CA outside the Enterprise root trust, Group Policy, the default computer store root CA list, and the list of root CA certificates provided by Windows Update.

  • Allow both Enterprise CA trust and third-party CA trust or only Enterprise root trust. You can disable trust of third-party root CAs in the domain outside the enterprise root CA trust, including root certificates downloaded from the Windows Update. This disables user installation of root CA certificates.

Note

  • Disabling third-party CAs can impact user access to applications such as SSL-secured Web sites.