Group security permissions for certificate template not working
You need to reboot the servers after changing their Security group membership.
Related videos on Youtube
05 : 46
14 : 47
00 : 39
01 : 25
05 : 21
JMP
Updated on September 18, 2022Comments
-
JMP over 1 year
I have a certificate template published on my domain-joined Server 2016 Enterprise CA - I'm trying to set up certificate autoenrollment for our internal webservers.
When the template has read/enroll/autoenroll permissions granted directly to a Computer Account, the computer in question can autoenroll.
When read/enroll/autoenroll permissions are assigned to the built-in group "Domain Computers", (any) domain joined computers can also autoenroll.
When security permissions are assigned to a global security group containing computer accounts as members, these computers cannot autoenroll. When using the "request new certificate" from the computer's certificate manager - I can select the template in question, but it fails with the error "The permissions on the certificate template do not allow the current user to enroll for this type of certificate". I can see failures on the CA when doing a GPUpdate on a computer which should have permission to enrol.
I suspect I'm missing something stupid - any suggestions on things to check?
-
Admin over 6 yearsDid you reboot the servers after adding them to this Security group? If not, you'll need to. -
Admin over 6 yearsHerp, that was it. My suspicions were correct. Thanks :)
-
Admin over 6 yearsGlad to help...
-
-
joeqwerty over 6 yearsTrue, but a reboot is usually the quickest, most efficient way. I wanted to keep my answer as simple and as straightforward as possible. Thanks for the assist nonetheless. -
JMP over 6 yearsit's definitely easier, yes :)