Unprotect-RMSFile
Unprotects a file that is currently protected by RMS.
Syntax
Unprotect-RMSFile
[-File <String>]
[-Folder <String>]
[-InPlace]
[-Recurse]
[-OutputFolder <String>]
[-SupressUI]
[-LogFile <String>]
[-ProcessContainers]
[<CommonParameters>]Description
The Unprotect-RMSFile cmdlet removes Rights Management (RMS) protection from one or more files in a specified folder if those files were previously protected by AD RMS or Azure RMS.
You must have sufficient usage rights or be a super user for your organization to unprotect files. For more information, see Configuring super users for Azure Information Protection and discovery services or data recovery.
If you're unprotecting a container file, each child is recursively extracted, unprotected, and repackaged. Supported container file types are .zip, .rar, .7z, .msg, and .pst.
For .pst files, 5 GB is the maximum file size supported with this cmdlet.
When you run this cmdlet, you have the following options:
The file is unprotected in the same folder so that the original protected file and the new unprotected file coexist.
The original file remains protected and an unprotected version of the file is created in another location.
All files in the specified folder are unprotected in the current location, replacing the original files that were protected.
All files in the specified folder remain protected and an unprotected version of each file is created in another location.
You can run this command concurrently when you specify a different path for the LogFile parameter for each command that runs in parallel. If you don't specify a different log file path and the previous command hasn't finished, the new command will fail.
Examples
Example 1: Unprotect a single file, replacing the original file
PS C:\>Unprotect-RMSFile -File "C:\Test.ptxt" -InPlace
InputFile DecryptedFile
--------- -------------
C:\Test.ptxt C:\ Test.txtThis command unprotects a single file named Test.ptxt, replacing this protected version of the file with an unprotected version in the same location. When an output directory is not provided and the InPlace parameter is specified, the source file is replaced.
Example 2: Unprotect a single file, retaining the original file
PS C:\>Unprotect-RMSFile -File "C:\Test.ptxt" -OutputFolder "C:\Temp"
InputFile DecryptedFile
--------- -------------
C:\Test.ptxt C:\Temp\Test.txtThis command unprotects a single file but retains the original protected file by creating the unprotected version in the folder location named C:\Temp. When an output folder is provided, a unique file name is created for the unprotected file. If a file of the same name exists, the new file name is made unique in the same way that File Explorer makes a unique copy of the same file name. For example, if Test.txt exists, Test Copy.txt is created, then Test Copy(2).txt.
Example 3: Unprotect a folder
PS C:\>Unprotect-RMSFile -Folder "C:\Protected" -OutputFolder "C:\Temp"
InputFile DecryptedFile
--------- -------------
C:\Protected\Test.ptxt C:\Temp\Protected\Test.txt
C:\Protected\Word.docx C:\Temp\Protected\Word.docxThis command unprotects a folder, retaining the original protected files and creating the unprotected versions in the folder location named C:\Temp and creates a corresponding subfolder of "Protected".
This command can also be used with the Recurse parameter, which determines whether to include the processing of subfolders.
Example 4: Unprotect a .PST file
PS C:\>Unprotect-RMSFile -File "C:\Test.pst" -OutputFolder "C:\Temp"
InputFile DecryptedFile
--------- -------------
C:\Test.pst C:\Temp\Test.pstThis command unprotects a .pst (Personal Storage Table) file, which are container files that can hold Microsoft Outlook .msg files.
In turn, these .msg files can be containers that hold attachments. Because the .pst file is a container, every child file and nested container are also unprotected by this operation.
Example 5: Unprotect a .RAR file
PS C:\>Unprotect-RMSFile -File "C:\Test.rar" -OutputFolder "C:\Temp"
InputFile DecryptedFile
--------- -------------
C:\Test.rar C:\Temp\Test.zipThis command unprotects a .rar archive file. Because .rar files are container files that hold nested files, these nested files can also be archives. Every child file and nested container are also unprotected by this operation.
Notice that for a .rar input file, the unprotected file is a .zip file.
Parameters
-File
Specifies the path and file to unprotect. For the path, you can specify a drive letter or UNC.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Folder
Specifies the path and folder to unprotect. All the files in the specified folder will be unprotected.
For the path, you can specify a drive letter or UNC.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-InPlace
The file or the files in the specified folder are unprotected in the current location, replacing the original protected file or files. This parameter is ignored if the OutputFolder parameter is specified.
If neither InPlace nor OutputFolder is specified, the new file is created in the current directory with "-Copy" appended to the file name, using the same naming convention that File Explorer uses when a file is copied and pasted into the same folder. For example, if a file with Document.docx is protected, the unprotected version is named Document-Copy.docx. If a file named Document-Copy.docx already exists, Document-Copy(2).docx is created, and so on.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-LogFile
Specifies the path and base file name, with optional file name extension for log files. These log files list the files that are successfully or unsuccessfully unprotected. The following three log files are created for success, failure, and debug respectively:
<file name>.<file name extension>
<file name>-failure.<file name extension>
<file name>-debug.<file name extension>
For container files, these log files also include nested files.
For example, if you specify C:\Users\Administrator\Unprotect-RMSFile.txt for this parameter, the following log files are created:
For files that were successfully unprotected: C:\Users\Administrator\Unprotect-RMSFile.txt
For any files that couldn't be unprotected: C:\Users\Administrator\Unprotect-RMSFile-failure.txt
For debug information: C:\Users\Administrator\Unprotect-RMSFile-debug.txt
For the path, you can specify a drive letter or UNC.
If you do not specify this parameter, the log files Success.log, Failure.log, and Debug.log are written to the default log file location of %localappdata%\Microsoft\MSIPC\pscmdlet\Logs[GUID].
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-OutputFolder
Specifies the output folder for unprotected versions of the protected files. The original folder structure is maintained, which means that subfolders might be created for your specified value.
For the path, you can use a drive letter or UNC.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ProcessContainers
This parameter is not currently implemented.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Recurse
Indicates that this operation unprotects all files in all subfolders.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SupressUI
This parameter is not implemented; there is no UI for this cmdlet.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |