To restore a deprovisioned user account
For information about each option, open the Password Options dialog box, and then press F1.
When you click the Undo Deprovisioning command, the operation progress and results are displayed. When the operation is completed, Active Roles displays the operation summary, and allows you to examine the operation results in detail. You can view a report that lists the actions taken during the restore operation. For each action, the report informs about success or failure of the action. In the event of a failure, the report provides a description of the error situation.
You can use Active Roles to add or remove digital (X.509) certificates from user accounts in Active Directory. By adding a certificate to a user account you make the certificate (including the public key associated with the certificate) available to other Active Directory users and to Active Directory-aware applications and services.
The certificates added to Active Directory user accounts are referred to as published certificates. Published authentication certificates are used by Active Directory domain controllers during certificate-based authentication. Published encryption certificates can be used to enable access to encrypted contents. For instance, in the case of e-mail encryption, the sender retrieves the recipient’s certificate from the Active Directory user account and uses that certificate to encrypt the e-mail message so that the recipient could decrypt the message by using the private key associated with the certificate. A similar process occurs when you want to allow a given user to read an encrypted file. The certificate retrieved from the user account is used to encrypt the file encryption key so that the file encryption key could be obtained by using the private portion of the user’s certificate to decrypt the encrypted key material.
To view or change the list of digital certificates for a particular user account, open the Properties page for that user account in the Active Roles console or Web Interface and go to the Published Certificates tab. From the Published Certificates tab, you can perform the following tasks:
For each of the certificates that are listed on the Published Certificates tab, you can view the following information:
In the Active Roles console or Web Interface you can use the Published Certificates page to view or change the list of digital certificates that are assigned to a given user account in Active Directory. Digital certificates are used for authentication and secure exchanges of information. A certificate securely binds a public encryption key to the entity that holds the corresponding private key. The Published Certificates page allows you to add or remove digital certificates from the user account.
To add or remove a certificate for a user account using the Active Roles console
From the Published Certificates page in the Active Roles console, you can also view or export any of the certificates listed on that page. Select a certificate from the list and then click the View Certificate button to examine the certificate in detail or click the Copy to File button to save a copy of the certificate to a file.
To access the Published Certificates page in the Web Interface, open the General Properties page for the user account and click the Published Certificates tab. From the Published Certificates page in the Web Interface you can:
Active Roles now allows you to administer group Managed Service Accounts. Introduced in Windows Server 2012, group Managed Service Account (gMSA) is a domain security principal whose password is managed by Windows Server 2012 domain controllers and can be retrieved by multiple systems running Windows Server 2012. Having Windows services use gMSA as their logon account minimizes the administrative overhead by enabling Windows to handle password management for service accounts. Group Managed Service Accounts provide the same functionality as Managed Service Accounts introduced in Windows Server 2008 R2 and extend that functionality over multiple servers.
As you can use a single gMSA on multiple servers, gMSA provides a single identity solution for services running on a server farm. With a service hosted on a server farm, gMSA enables all service instances to use the same logon account (which is a requirement for mutual authentication between the service and the client), while letting Windows change the account’s password periodically instead of relying on the administrator to perform that task.
For more information about group Managed Service Accounts, see “Group Managed Service Accounts Overview” at technet.microsoft.com/en-us/library/hh831782.aspx.