none
what is the difference between "certutil -adtemplate" and "certutil -template"? why adtemplate result show access is denied? i'm using the root administrator RRS feed

  • Question

  • i don't know exactly what certutil -adtemplate and certutil -template differsa

    are they equivalent to the GUI template management?

    the result are below:


    I;m Charles Lee.

    Friday, September 13, 2013 9:08 AM

Answers

  • Hi,

    with certutil -adtemplate you get a list of all templates from Active Directory. certutil -template list only the templates for a enrollment policy. By default you have a enrollment policy configured using AD, so bot commands will list you the same template names (an a AD integrated machine). certutil -template gives you a few more details. You can manage all templates by using the certtmpl.msc console.

    Regards,

    Lutz

    Friday, September 13, 2013 3:48 PM

All replies

  • Hi,

    with certutil -adtemplate you get a list of all templates from Active Directory. certutil -template list only the templates for a enrollment policy. By default you have a enrollment policy configured using AD, so bot commands will list you the same template names (an a AD integrated machine). certutil -template gives you a few more details. You can manage all templates by using the certtmpl.msc console.

    Regards,

    Lutz

    Friday, September 13, 2013 3:48 PM
  • Hi,

    I would like to confirm what is the current situation.

    Please feel free to let us know if you need further assistance.

    Regards.

    If you have any feedback on our support, please click here



    Vivian Wang
    TechNet Community Support

    Monday, September 16, 2013 1:45 PM
    Moderator
  • "...what is the current situation..."

    Most likely the situation is that the question was not answered fully. Why does -adtemplate give Access denied on each & every template?

    Seb

    Wednesday, August 19, 2015 4:38 PM
  • Hello all,

    This is the reason behind he error:

    Access Denied is received because the account under which the certutil -adtemplate is executed does not have Auto-Enroll permission on the template. If you issue this command, you get the full info of the template including access denied for auto-enrollment.

    certutil -adtemplate -v

    You can do a test - make Administrator template available for autoenrollment (checkbox on the Security tab of the template) for your account and this is the result:

    CodeSigning: Code Signing -- Auto-Enroll: Access is denied.
    Copy of Administrator: Copy of Administrator -- Auto-Enroll
    CrossCA: Cross Certification Authority -- Auto-Enroll: Access is denied.


    • Edited by Valyar Tuesday, August 25, 2015 7:42 PM
    • Proposed as answer by Valyar Tuesday, August 25, 2015 7:42 PM
    Tuesday, August 25, 2015 7:41 PM