Autoenrollment Functions
Updated: January 01, 2003
This section discusses various functions performed
by the autoenrollment process on Active Directory
domain-joined machines.
Download of Active Directory Certificates and Trust
Objects
Autoenrollment automatically downloads and manages
trusted root certificates, cross-certificates, and
NTAuth certificates from Active Directory into the
local machine registry for domain-joined machines.
All users who log on to the machine inherit the
trust and downloaded certificates that are
downloaded and managed by autoenrollment.
Deleting Expired and Revoked Certificates
Autoenrollment deletes expired and revoked
certificates in the userCertificate attribute on the
user object in Active Directory. This feature can be
enabled through user or machine Group Policy to help
ensure that only valid and active certificates are
used for encryption operations.
The exit module on
the Windows Server 2003 CA also helps to manage the
user account in Active Directory, but only deletes
expired certificatesit does not remove revoked
certificates due to performance reasons. In general,
there is no value in publishing a signing
certificate to the user object in Active Directory,
except for purposes of record-keeping.
Managing User Certificates in the CryptoAPI MY Store
Certificates in the users local MY certificate
store may also be managed through the
autoenrollment process. On a per-template basis,
autoenrollment can be enabled to delete expired and
revoked signature certificates. Encryption
certificates and keys are never automatically
deleted. However, autoenrollment only manages
certificates that correspond to certificate
templates defined in Active Directory that contain
the certificate template extension. This feature is
enabled by setting this policy on the Request
Handling tab in the Properties of a given
certificate template
