If you used PKI in Windows 2000, you might remember that it was possible to autoenroll for computer certificates but not for user certificates. In Windows Server 2003, Microsoft has made it possible to configure your environment for user autoenrollment. As a member of the Enterprise Admins group in a Windows Server 2003 domain, you can specify the types of certificates that a user can automatically be issued. Autoenrollment is controlled by setting security permissions on certificate templates through the Certificate Templates management tool. A client can then access the template in Active Directory and automatically enroll for a certificate that he or she has rights to request. Likewise, autorenewal is used to control who can autorenew their certificates. Every certificate in the certificate store that has a template extension can potentially be autorenewed by the system, reducing the amount of administrative work that you need to perform for the renewal of certificates.
Was this article helpful?