We have one Win 2008 R2 Enterprise CA. All Windows 7 clients. The CA was setup before I started. The GPO settings for Autoenrollment were already set up for both Computers and Users. The company wants to do Autoenrollment of User Certificates for 802.1x on wired at the moment. The only thing that seemed to be missing that I saw was a v2 certificate template for User Certs with the security permissions needed. I created both the Computer and the User v2 templates and gave appropriate (Read, Enroll and Autoenroll) permissions on the respective areas for each (Domain Computers for the Workstation Authentication Autoenrollment Policy, Domain Users for the User Autoenrollment Policy).
Computers are autoenrolling fine, and their certs appear in the Personal store.
Users seem to be autoenrolling fine, but User certs appear in the Active Directory User Object store and NOT in the Personal store.
The CA shows issing User certs based off the new template correctly. The User template is publishing to Active Directory with the "do not re-enroll if duplicate..." option selected. I originally included email in sujbect and the email alternative name options, but have changed the template to not include email at all (did a "Re-enroll All Certificate Holders" after the change to not use email in the certs)...but neither template put the User cert in the Personal store of users. Registry keys show AutoEnrollment enabled for Users.
It all seems to be set correctly, not seeing autoenrollment errors in the event log on the CA/client sides, yet nothing shows in the Personal store. I somehow got it to show up in my own personal store for both my accounts (standard, admin), but I had played with revoking my certs and I'm honestly not sure what caused the User cert to show up in my Personal store. I had checked with two different other users, and neither have the User cert in the Personal store, only the Active Directory User Object store. I've also checked a server where logged in with admin credentials and it doesn't have the cert in the Personal store, either.
What could I be missing when Autoenrollment for Computers works fine and shows up in the Personal store, but the User certs don't show up in the Personal store (even though Autoenrollment seems to be working fine)?