Announcement

Collapse
No announcement yet.

GPO installs certificate more than once causing issues

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • GPO installs certificate more than once causing issues

    I have been asked to install a CA on all servers and workstation by our development team, which I did. When the GPO started taking effect on the Developer's servers, their applications started failing.

    We found that the Developers had already installed the cert on their servers and their custom app was referencing that cert to get data from other servers.

    When the GPO ran for the first time on their development servers, the cert was installed AGAIN, which confused their custom app and stopped it from working.

    My question is, how do I change my GPO so that it only installs the specific cert on any machine which does not already have that cert?

    Windows 2003 Domain.

    GPO settings are:

    Code:
    Group Policy Management 
     
    APAC - Certificate Distribution		   
    Data collected on: 5/1/2012 3:38:32 PM	 all	 
    General 
    Details 
     
    Domain	MYDOMAIN.LOCAL	   
    Owner	MYDOMAIN\Domain Admins	   
    Created	3/14/2012 9:08:30 AM	   
    Modified	3/16/2012 9:57:52 PM	   
    User Revisions	0 (AD), 0 (sysvol)	   
    Computer Revisions	2 (AD), 2 (sysvol)	   
    Unique ID	{5465AF75-D2CE-48D1-A4A7-02FC2796E4A4}	   
    GPO Status	Enabled	 
    Links 
     
    Location	Enforced	Link Status	Path	   
    APAC	No	Disabled	MYDOMAIN.LOCAL/BS ENTERPRISE/APAC	 
    
    This list only includes links in the domain of the GPO. 
    Security Filtering 
    The settings in this GPO can only apply to the following groups, users, and computers: 
     
    Name	   
    NT AUTHORITY\Authenticated Users	 
    WMI Filtering 
     
    WMI Filter Name	None	   
    Description	Not applicable	 
    Delegation 
    These groups and users have the specified permission for this GPO 
     
    Name	Allowed Permissions	Inherited	   
    MYDOMAIN\Domain Admins	Edit settings, delete, modify security	No	   
    MYDOMAIN\Enterprise Admins	Edit settings, delete, modify security	No	   
    NT AUTHORITY\Authenticated Users	Read (from Security Filtering)	No	   
    NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS	Read	No	   
    NT AUTHORITY\SYSTEM	Edit settings, delete, modify security	No	 
    Computer Configuration (Enabled) 
    Windows Settings 
    Security Settings 
    Public Key Policies/Autoenrollment Settings 
     
    Policy	Setting	   
    Enroll certificates automatically	Enabled	   
    Renew expired certificates, update pending certificates, and remove revoked certificates	Disabled	   
    Update certificates that use certificate templates	Disabled	 
    Public Key Policies/Encrypting File System 
    Properties 
     
    Policy	Setting	   
    Allow users to encrypt files using Encrypting File System (EFS)	Enabled	 
    Public Key Policies/Trusted Root Certification Authorities 
    Properties 
     
    Policy	Setting	   
    Allow users to select new root certification authorities (CAs) to trust	Enabled	   
    Client computers can trust the following certificate stores	Third-Party Root Certification Authorities and Enterprise Root Certification Authorities	   
    To perform certificate-based authentication of users and computers, CAs must meet the following criteria	Registered in Active Directory only	 
    Certificates 
     
    Issued To	Issued By	Expiration Date	Intended Purposes	   
    MYDOMAIN.LOCAL APAC CA	MYDOMAIN.LOCAL APAC CA	4/7/2041 1:29:29 AM	<All>	 
    
    For additional information about individual settings, launch Group Policy Object Editor. 
    User Configuration (Enabled) 
    No settings defined.
    |
    +-- JDMils
    |
    +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
    |

  • #2
    Re: GPO installs certificate more than once causing issues

    Group Policy doesn't look to see if something is installed before it applies, it only looks to see if that specific policy has already been applied. If the record of the policy doesn't exist on the client, and the policy is supposed to be on the client, it will deploy to the client. The application of the Policy object is recorded in the Registry, so that's where the GP enforcement routine looks.

    So when your development PCs had the policy applied under the domain rules, the GP enforcement did what it was supposed to--it applied the policy because the policy hadn't been applied yet. The fact that the cert pushed by policy had already been manually installed on those PCs first is not part of the deal. That manual install did not set the appropriate registry entry, so your policy pushed a duplicate.

    One way I can think of is to use GP to call a custom script for each deployment, such that a log file of some kind, even a 1-line text file, is written to the client when applied. Write each script to look for the specific text or log file. If it exists, policy doesn't apply again. But that's not the best way to do it.
    *RicklesP*
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **

    Comment


    • #3
      Re: GPO installs certificate more than once causing issues

      item level targeting >file match?

      Comment

      Working...
      X