Share via


Credential roaming administrative template

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

The Credential Roaming administrative template allows you to configure the following credential roaming options:

  • Not Configured. The default setting.

  • Enabled. Enables credential roaming.

  • Disabled. Prevents credential roaming from being enabled locally.

You can also configure specific Credential Roaming settings:

  • Maximum tombstone credentials lifetime in days: Allows you to define how long a roaming credential will remain in Active Directory for a certificate or key that has been deleted locally.

  • Maximum number of roaming credentials per user: Allows you to define a maximum number of certificates and keys that can be used with credential roaming.

  • Maximum size (in bytes) of a roaming credential: Allows you to restrict roaming for credentials that exceed a defined size.

To create the Credential Roaming administrative template, copy the following code, paste it into a text file, and save the file with the name DIMS.adm or a name of your choice.

CLASS USER
CATEGORY  !!CertSvcClient
KEYNAME "Software\Policies\Microsoft\Cryptography\AutoEnrollment"
POLICY !!CredentialRoaming

EXPLAIN !!CredentialRoaming_Explain
VALUENAME "DIMSRoaming"
VALUEON NUMERIC 1

PART !!CredentialRoaming_Box TEXT
END PART

PART !!CredentialRoaming_TombstoneValue NUMERIC REQUIRED
VALUENAME "DIMSRoamingTombstoneDays"
MIN 1 MAX 3650 DEFAULT 60 SPIN 30
END PART

PART !!CredentialRoaming_MaxNumTokens NUMERIC REQUIRED
VALUENAME "DIMSRoamingMaxNumTokens"
MIN 1 MAX 10000 DEFAULT 2000 SPIN 100
END PART

PART !!CredentialRoaming_MaxTokenSize NUMERIC REQUIRED
VALUENAME "DIMSRoamingMaxTokenSize"
MIN 1 MAX 100000 DEFAULT 65535 SPIN 1000
END PART

END POLICY
END CATEGORY

[strings]
CertSvcClient="Certificate Services Client"
CredentialRoaming_Explain="This policy setting specifies the behavior for user X.509 certificates, requests, and key roaming.\n\n
User certificates and keys will be roamed and synchronized between the local user profile on the desktop and the user object in 
Active Directory when a user logs on interactively.\n\nIf you enable this policy setting, all X.509 certificates, keys, and enrollment 
requests will be uploaded and synchronized with the user object in Active Directory. You should also enable folder exclusion policies 
for roaming user profiles to avoid any conflicts in the use of multiple roaming technologies.\n\nIf you disable this policy setting, 
all future synchronization and roaming will cease, but no keys or certificates will be deleted from the local user profile or 
Active Directory user object.\n\nIf you do not configure this policy setting, user certificate and key roaming will not be performed.\n\n
Note: Folder exclusion policy settings may be configured in the user profiles section of the System administrative template.\n\n"
DisableAll="None"
CredentialRoaming="X.509 certificate and key roaming"
CredentialRoaming_Box="Specific Credential Roaming settings:"
CredentialRoaming_TombstoneValue="Maximum tombstone credentials lifetime in days:"
CredentialRoaming_MaxNumTokens="Maximum number of roaming credentials per user:"
CredentialRoaming_MaxTokenSize="Maximum size (in bytes) of a roaming credential:"

See Also

Concepts

The role of Administrative Templates