0

I am Domain Admin of a company. We implement Active Directory Certificate Services in our company for email signature and encryption. Because we have more than 1000 users in our company, we want to enable auto-enrollment on User certificate template but we want to prevent users to have multiple certificates. Therefore we are seeking for a method to restrict them enroll certificate manually.

When we uncheck the enroll permission in the security tab of user template properties the auto-enrollment feature won't work. Is there any solution for my issue?

Hojjat Jashnniloofar
  • 1
  • 1
  • Why? I've yet to meet a user who's even willing to manually enroll for a certificate, let alone able to. I think you might be worrying over nothing. – HopelessN00b Feb 10 '14 at 09:28
  • we want to prevent users to have multiple certificates. when users enroll certificate manually, they have multiple certificate in Active Directory. – Hojjat Jashnniloofar Feb 12 '14 at 10:50

1 Answers1

1

Multiple email certificates can cause issues but manual enrollment is a major inconvenience.

Instead, there is an option within the certificate template that can help.

It requires that certificates be published to AD.

Check the box "Do not automatically reenroll if a duplicate certificate exists in Active Directory"

Full details here on TechNet: http://blogs.technet.com/b/mspfe/archive/2012/12/27/how-to-avoid-having-users-enroll-for-multiple-certificates.aspx

BIGmog
  • 88
  • 1
  • 5
  • Thanks for your answer, I checked this option previously, This option prevent to auto-enroll multiple certificate, of course this option can't work perfect. – Hojjat Jashnniloofar Feb 01 '15 at 06:22