"Doug P" <> wrote in message news:BDAD19B7-003E-4DB4-990D-...
> Running Server 2003 SP2 and XP Pro SP3
>
> I have installed the certificate authority on my domain controller.
> I have generated a code signing certificate.
> I have used this certificate to sign a Word .dot file in order to trust the
> macros within it.
>
> When users open the .dot file, they get a security prompt regarding macros.
> Some users can click the 'Always trust macros from this publisher' and then
> they can enable the macros. For other users this option is greyed out. This
> doesn't appear to be a permissions thing because I was able to choose always
> trust on one computer with a non-admin user and I can not choose always trust
> on another computer even with an admin user.
>
> If possible, I would like to use group policy or something to enable this
> certificate or CA to be trusted by every computer in the domain but I haven't
> been able to find how to do this.
>
This is best posted in the microsoft.public.windows.server.security and microsoft.public.security.crypto newsgroups.
Just a heads up, the CA must be the Enterprise version of Windows in order to have a V2 template that you can create a cert for autoenrollment. Then you would configure a GPO for it. The following are some links to read up on with how to do it. Maybe the folks in the other groups can offer more specifics. FYI, make sure you test it on in a lab or on a test machine before rolling out the cert to everyone, or it will be more work removing the certs if it's not what you are looking for.
Here are some articles on how to set up Microsoft CA's and deploy certificates to users.
Best Practices for Implementing a Microsoft Windows Server2003 Public Key Infrastructure
http://www.microsoft.com/technet/pro.../ws3pkibp.mspx
Implementing and Administering Certificate Templates in Windows Server 2003
http://technet.microsoft.com/en-us/l.../cc783016.aspx
PKI Enhancements in Windows XP Professional and Windows Server 2003
http://www.microsoft.com/technet/pro...an/pkienh.mspx
Windows Server 2003 PKI Operations Guide
http://www.microsoft.com/technet/pro.../ws03pkog.mspx
Managing a Windows Server 2003 Public Key Infrastructure
http://www.microsoft.com/technet/pro...ty/mngpki.mspx
Advanced Certificate Enrollment and Management (need Windows Enterprise edition to make autoenrollment work):
http://www.microsoft.com/technet/pro...y/advcert.mspx
Certificate Autoenrollment in Windows Server 2003 (need Windows Enterprise edition to make autoenrollment work):
http://www.microsoft.com/technet/pro.../autoenro.mspx
Selecting Certificate Templates Public Key (need Windows Enterprise edition to make autoenrollment work):
http://www.microsoft.com/technet/pro...0d0ef4e9a.mspx
Configure a certificate template for client autoenrollment (need Windows Enterprise edition to make autoenrollment work):
http://technet2.microsoft.com/Window...00a8e1033.mspx
Certificate Services Operations Guide- Certificate Services Operations:
http://www.microsoft.com/technet/its...tSevcOG_2.mspx
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
For urgent issues, you may want to contact Microsoft PSS directly. Please
check
http://support.microsoft.com for regional support phone numbers.
"Efficiency is doing things right; effectiveness is doing the right things." - Peter F. Drucker
http://twitter.com/acefekay
Similar Threads
Linear Mode
