I have a certificate template published on my domain-joined Server 2016 Enterprise CA – I'm trying to set up certificate autoenrollment for our internal webservers.
When the template has read/enroll/autoenroll permissions granted directly to a Computer Account, the computer in question can autoenroll.
When read/enroll/autoenroll permissions are assigned to the built-in group "Domain Computers", (any) domain joined computers can also autoenroll.
When security permissions are assigned to a global security group containing computer accounts as members, these computers cannot autoenroll. When using the "request new certificate" from the computer's certificate manager – I can select the template in question, but it fails with the error "The permissions on the certificate template do not allow the current user to enroll for this type of certificate". I can see failures on the CA when doing a GPUpdate on a computer which should have permission to enrol.
I suspect I'm missing something stupid – any suggestions on things to check?
Best Answer
You need to reboot the servers after changing their Security group membership.