Configuring Security

Resolve Unknown Users

In Exchange KMS Key Import Wizard, the Unknown Users screen will only appear when KMS cannot match one or more incoming users with a corresponding Exchange mailbox globally unique identifier (GUID). Before the wizard can continue, you must match unknown users with existing mailboxes in Active Directory.

The Recipient Update Service creates a GUID for every Exchange mailbox. Because all Exchange mailboxes are identified uniquely, you can move them from server to server without conflict. KMS uses the mailbox GUID to identify users in Active Directory. If KMS displays the Unknown Users screen, a user account may have been removed from Active Directory after the user was exported from a Key Management server. With the mailbox in Active Directory account deleted, KMS will not have anything to associate with the GUID contained in the export file, and therefore the user will not be recognized by the importing KMS. Even if you have created a new mailbox for the user on the destination server, the mailbox will have a different GUID than the one associated with the user in the export file.

Note   The names displayed in the Unknown Users screen are taken from users' certificates as part of the exported Advanced Security information.

To resolve unknown users:

  1. By default, KMS will not import any users it cannot identify. To proceed without resolving names, highlight one or more names, and then click Do Not Import. When you click Next, importing will proceed only for those users that are identified by KMS.
  2. To resolve users, highlight a name, and then click Resolve User. In Select Users and Computers, select the appropriate user account in Active Directory. When you click Next, importing will proceed and the accounts you mapped to the unknown users will receive those users' keys.

    Warning   In this step, the displayed name can be mapped to any Active Directory account. Be careful to choose the correct one.