The CAPolicy.inf is only used during installation of the CA service and key renewal. Did you reinstall?

You have loaded all the templates into the CA, thus enabling it to hand out certificates for every purpose that can be defined. This may not be a good thing as in one go, you have enabled a lot of functionality from LDAP over SSL (not bad) to Encrypting file system (can be bad unless you have key recovery procedures). You definitely want to have control as to what type of certificates are issued, and to whom. I would suggest trying this out in the lab rather than the prod network.

The certificates are being issued because of autoenrollment. If you stand up an AD integrated CA, it publishes itself to various nodes under CN=services in the configuration partition, and Windows devices have built-in functionality to look for and trust CA's published there. My guess is that one of the templates specifies to publish issued certificates in AD and that is failing because of rights.

I came across a very long and fairly comprehensive checklist that might be of use to you: http://www.corelan.be/index.php/2008/07/14/windows-2008-pki-certificate-authority-ad-cs-basics/

-Ravi

show