|
Posted by StuartH on June 19, 2007, 4:59 pm
Please log in for more thread options
We have stumbled across something a little bizarre when trying to set
auto-enrollment for computers at levels below the domain object.
What I mean, is that if we set a GPO (say in the default domain policy) at
the root of the domain to autoenroll, then computer objects happily accept
the cert that is automatically given to them. However, further down, if we
set a GPO (say at a server OU) to not autoenroll...this is ignored. The GPO
*is* applying and it is just the AE settings that are not being applied.
This seems to be behaviour similar to how EFS cannot be turned on/off
throughout a domain/OU level.....if you set EFS to enabled in the root of a
domain, you cannot turn it "off" lower down without having a deny ACE set un
the subOU (so they can read the GPO setting EFS in the domain GPO).
We basically want to be able to have servers and workstations auto-enroll
but not DCs. We could set a deny ACE for Enterprise DC's so they cannot read
the cert-authentication CA template...but I would rather have autoenrollment
work properly, by GPOs.
Anyone seen this behaviour or can explain it ?
Thanks
Stuart
| 
XML Sitemap