Configuring Group Policy
Updated: January 1, 2003
Applies To: Windows Server 2003 with SP1
This section shows how to configure the Group Policy settings for a site, domain, or organizational unit (OU).
How to Configure Group Policy
Group Policy settings for a site, domain, or OU must be configured to enable certificate autoenrollment in a domain.
To configure Group Policy
Open the Active Directory Users and Computers MMC snap-in.
Right-click the site, domain, or OU that you want to configure Group Policy for, and then click Properties.
Click the Group Policy tab, and then click Edit (Figure 6).
Figure 6: Selecting Group Policy Configuration Options
Note Machine policy for automatic enrollment of machine and domain controller certificates is configured identically, even though it is controlled through the machine policy of a Group Policy object.
Click User Configuration, Windows Settings, Security Settings, and finally Public Key Policies. In Object Type, right-click Autoenrollment Settings (Figure 7), and then click Properties.
Figure 7: Selecting Autoenrollment Settings
Ensure that Enroll certificates automatically is selected as well as the two check boxes under this option (Figure 8). Automatic renewal, certificate cleanup, and publishing in Active Directory are only enabled with all options selected.Figure 8: Selecting Autoenrollment Settings
Note Both machine and user policy must be configured to enable certificate enrollment for both types.
Autoenrollment is now enabled.