You can exclude a user account from obtaining use licenses from an Active Directory Rights Management Services (AD RMS) cluster by specifying either the user's e-mail address or the public key string of the rights account certificate (RAC) associated with the user's RAC.
Users who are not allowed to consume rights-protected content but have e-mail accounts in your Active Directory Domain Services (AD DS) forest should be excluded by their e-mail addresses.
If a user is trusted but his or her AD RMS credentials are compromised, you can exclude only the compromised RAC by excluding its public key. When you do this, AD RMS denies new use license requests that involve that RAC. After you exclude a RAC, the next time that user attempts to acquire a use license for new content, the request will be denied. To acquire a use license, the user will have to retrieve a new RAC with a new key pair.
If you need to exclude external users, such as Windows Live ID users, federated users, and users identified by a trusted user domain, who are not part of your AD DS forest, you can also specify a RAC to exclude their public keys.
If you add a user to the exclusion list of the AD RMS root cluster, you should also exclude the user on all licensing-only clusters in your organization. Each AD RMS cluster has independent exclusion lists.
Membership in the local AD RMS Enterprise Administrators, or equivalent, is the minimum required to complete this procedure.
To exclude a user |
-
Open the Active Directory Rights Management Services console and expand the AD RMS cluster.
-
In the console tree, expand Exclusion Policies and then click Users.
-
In the Actions pane, click Enable User Exclusion.
-
In the Actions pane, click Exclude user. The Exclude User Account wizard appears.
-
Do one of the following:
- To exclude a user by e-mail address, click
the Use this option for excluding rights account certificates of
internal users who have an Active Directory Domain Services
account option, and then click Browse to browse to a
user or group in your Active Directory Domain Services directory or
type the e-mail address of the user to be excluded.
- To exclude a user by the public key assigned
to the user's rights account certificate, click the Use this
option for excluding rights account certificates of external users
who do not have an Active Directory Domain Services account
option, and then type the appropriate rights account certificate
public key string in the Public key string box.
- To exclude a user by e-mail address, click
the Use this option for excluding rights account certificates of
internal users who have an Active Directory Domain Services
account option, and then click Browse to browse to a
user or group in your Active Directory Domain Services directory or
type the e-mail address of the user to be excluded.
-
Click Finish.
To stop excluding users |
-
Open the Active Directory Rights Management Services console and expand the AD RMS cluster.
-
In the console tree, expand Exclusion Policies, and then click Users.
-
Do one of the following:
- To disable user exclusion for all user
accounts. In the Actions pane, click Disable User
Exclusion. All user accounts previously excluded will be able
to acquire AD RMS use licenses.
- To stop excluding a specific user account. In
the results pane, select the excluded user certificate.
- To disable user exclusion for all user
accounts. In the Actions pane, click Disable User
Exclusion. All user accounts previously excluded will be able
to acquire AD RMS use licenses.
-
In the Actions pane, click Delete, and then click Yes to confirm the removal.
Additional considerations
- You can also perform the task described in
this procedure by using Windows PowerShell. For more information
about Windows PowerShell for AD RMS, see http://go.microsoft.com/fwlink/?LinkId=136806.