We have two intermediate Enterprise CAs (Windows AD CS) in our AD domain. Both CAs only have the Certification Authority role enabled.
CA1 is responsible for issuing certificates to workstations and users and has a template Workstation Auth.
CA2 is responsible for issuing certificates to servers and has a template Server Auth.
Auto-Enrollment is enabled on all Workstations and servers in our domain and working.
Problem:
Workstations should only target CA1 for auto-enrollment
and servers should only target CA2 for auto-enrollment.
I want to achieve this using group policies.
I know that I can allow auto-enrollment on a template only for members of security groups, and that would work.
However, I prefer a solution using group policies, because we organise workstations and servers in different OUs. I can target both groups with group policies on OUs. The security group solution would require us to manage two new security groups on top of that.
Is it possible to configure a workstation or server to only auto-enroll from a particular Enterprise CA? I'm open to alternatives, if they can be achieved using group policies.
Best Answer
I think you went in wrong direction. The solution is chosen based on a problem, not opposite. Your requirement (GPO only) isn't justified by a problem.
Let's focus on a problem:
this task is solved by permissions. Put workstations in a security group (let's say "Workstations") and grant Read, Enroll and Autoenroll permissions to "Workstation Authentication" certificate template. Assign this template only to CA1.
Put servers in a security group (let's say "Servers") and grant Read, Enroll and Autoenroll permissions to "Server Authentication" certificate template. Assign this template only to CA2.
Single autoenrollment GPO can be applied to top-level OU or even at domain level. It is a good practice to have autoenrollment GPO applied at domain level and exact autoenrollment settings (who and what templates can use for autoenrollment) are controlled by certificate template permissions and template assignment to corresponding CAs.