You can implement exclusion policies to deny certain entities the ability to acquire certificate and license requests There are three ways to exclude these entities: by user, by application, and by lockbox version.

When an entity is excluded, use licenses that are created by servers in the AD RMS cluster will have that entity specified in the exclusion list. If, after a period of time, you decide to remove an entity that you have previously included in an exclusion policy, you can delete the entity from the exclusion list. Any new certification or licensing requests will not consider this entity as excluded.

We recommend that you do not remove an entity from an exclusion policy until you can be sure that all of the certificates issued before the exclusion policy was created have expired. Otherwise, both the old certificates and the new certificates will allow the content to be decrypted, which might not be what your organization wants.

Additional reference