In order to create a new OU for ActivID CMS HIDS Smart Card software to look for new user accounts, you need to take several steps.
Validate the current domain and CA connectivity;
Create the User Group
Create the Assignment and Device Policy (the device policy is where the certificate template settings from your CA are set)
Be careful here. This is where I screwed up. While I mirrored a working group, when i went back and checked the ‘VIEW’ I saw that they were different. I was getting a fail after 90% card creation only for one user, in the new OU, with codes like;
The device issuance failed.
Synch Error: Security module synchronization failed. An internal provider error has occurred
in provider Microsoft, context -------------------CA.
Externaloperation error. : providerContextID=null (0x0000000C) MSPKI_DENIED_REQUEST :
Denied by Policy Module
and permission errors on the CA like 0x80094012