Where does certificate store at after you apply auto enrollment computer template into an OU?

Could you elaborate your question? User/Computer certs should go into their respective stores. Under mmc->Add Remove Snap In->Certificates would give you the option of viewing both User and Computer stores. Look under Personal->Certificates for both Local Computer and Current User.

Ashish:I am trying install cert using Enterprise CA. I only want cert on the laptop OU on the domain. However, after I installed the Enterprise CA, as soon as I logged into any workstation including any desktop and laptops on any domain, the workstion would receive a cert from the Enterprise serverIs there way so that I can apply cert only to one OU on the Active Directory?

This is probably because you have auto-enrolment set to enabled in a "higher" OU and it is inheriting down the OU tree. If you want to target just laptops you have a couple of options: 1. Turn off autoenrolment at that higher OU (maybeit is set in yourDefault Domain GPO [default] ?), and just have a GPO setting autoenrolment on the Laptops OU only. 2. Create a security group, and put all of your laptop machine accounts into it. Then, when you create any newCert templates, ensure that you remove Authenticated Users (which actually includes machines too) from the template ACL and add your new security group with autoenroll permissions. It really depends on what other "uses" you have for certs - you may have to have a mixture of #1 & #2 - Stuart Hudman