Individual users can be enrolled in Advanced Security through
Active Directory. Enrollment through Active
Directory is similar to enrolling users through Key
Manager in System Manager, except that the command only applies
to the selected user.
In addition, administrators can use Active Directory to recover
and revoke keys. This is also done on a per-user basis that is
similar to performing the same task in System Manager.
One advantage of Active Directory is the additional detail that
is displayed for each enrolled user. You can look up an
individual's security status (such as "Enabled," "Disabled," "Token
Issued," or "In Recovery"), their Key Management server, and the
dates their certificates were activated and when they will
To enroll individuals in Advanced Security, you can recover a
user's keys, or revoke a user's certificates through Active
On the Start menu, point to
Programs, point to Administrative Tools, and then
click Active Directory Users and Computers.
In the console tree, click Users.
In the details pane, right click the user, and then click
On the Exchange Features tab, in the Features
column, click E-mail Security, and then click
In the Key Management Service Login dialog box, type
your password, and then click OK. The default password is
Note You will have to re-type
your password each time you try to perform a Key Management task in
In the user's E-mail Security dialog box, perform one of
the following tasks:
To enroll the user, click Enroll. If you configured KMS
to distribute tokens
through an administrator, the token will appear on your screen, so
that you can deliver it to the user in person. If you configured
KMS to distribute tokens through e-mail, click Do Not Send
E-mail (to display the token on your screen only), or click
Send Enrollment (to send it to the user in an e-mail
To recover an enrolled user's keys, click Recover. A
temporary token will be generated for the user. Click Send
Enrollment Message to send the token to the user by e-mail, or
click Do Not Send E-mail to display the token. You can then
deliver the token in person.
To revoke a user's certificates, click Revoke. You will
get a confirmation dialog box informing you that the user was
disabled from e-mail security.