Configure credential roaming Group Policy
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
To configure credential roaming Group Policy, you need to:
Install the Credential Roaming administrative template.
Set credential roaming Group Policy options.
Install the DIMS administrative template
To install the CredentialRoaming.adm template:
Open the Active Directory Users and Computers MMC snap-in.
In the console tree, highlight the domain node, right-click and select Properties.
With the domain properties window open, select the Group Policy tab.
Highlight the domain policy in the domain policy objects area and click Edit.
In the console tree, expand User Configuration\Administrative Templates.
Right-click Administrative Templates. Choose Add/Remove Templates.
Navigate to the folder where the CredentialRoaming.adm file is located. Select the CredentialRoaming.adm file, click Open, and then click Close. Credential Roaming will now appear as a template under Administrative Templates.
Setting credential roaming Group Policy options
To configure credential roaming Group Policy options:
Open the Group Policy Object Editor, and go to:
User Configuration)/Administrative Templates/ Credential Roaming
In the details pane, select and right-click X.509 Certificate and Key Roaming. Click Properties.
Under X.509 Certificate and Key Roaming Settings, click Enabled.
In the Enable Credential Roaming drop-down list, select the type of credential roaming policy appropriate for your organization:
Roam all using strict arbitration rules
Roam all x.509 certificates and keys
Roam Encryption only with strict arbitration
Roam only encryption certificates and keys
- In most circumstances, Roam all x.509 certificates and keys will be the preferred option. The strict arbitration options can be used when a user may be issued multiple certificates or keys for a similar purpose but with different settings, and you want one specific group of settings to win out.
If appropriate for your organization, you can change the default values for the following options:
Maximum tombstone credentials lifetime in days:
Maximum number of roaming credentials per user:
Maximum size (in bytes) of a roaming credential:
When you are done, click OK.
Close the Group Policy Object Editor.
Click OK to accept the new domain Group Policy settings properties and close Active Directory Users and Computers.
You must be a member of the Domain Admins group to define domain Group Policy options.
New domain Group Policy settings are not applied to clients until after Group Policy is refreshed — typically every eight hours.
Credential roaming is supported for clients running Windows Server 2003 with Service Pack 1 (SP1). Credential roaming is supported on domain controllers running Windows 2000 Service Pack 3 (SP3) or later or Windows Server 2003. Mixed environments containing domain controllers running Windows 2000 SP3 or later and Windows Server 2003 are also supported. The forest functional level can be either Windows 2000 or Windows Server 2003.
An update was recently made available that enables credential roaming on clients running Windows XP Professional SP2 and an update is available for Windows Server 2003 (SP1).
For the best performance and security, it is recommended that the servers be upgraded to Windows Server 2003 SP1. For other best practices, see Credential roaming best practices.
For an explanation of the different credential roaming Group Policy settings and to create the CredentialRoaming.adm template, see Credential roaming administrative template.
Open Group Policy from Active Directory Users and Computers
Open Group Policy from Active Directory Sites and Services
Ways to open Group Policy Object Editor
Edit the local Group Policy object
Add or remove an Administrative Template (.adm file)