E_ACCESSDENIED Error in RMS v1
When the RMS v1 SP2 client is installed the following folder is automatically created on the machine: %allusersprofile%\AppData\Microsoft\DRM\Server. This folder is created to allow non-admin users, such as Network Service, to create the <sid> folder and licenses in the folder. This information only pertains to organizations running RMS v1, it is not applicable AD RMS.
If receive reports of RMS applications failing machine activation with the error message E_ACCESSDENIED, make sure that the folder exists on the machines and that it has the appropriate ACLs assigned to it. The appropriate ACLs, and a key, are listed below.
Windows 7 and Windows Vista:
C:\ProgramData\Application Data\Microsoft\DRM\Server>icacls
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)
Everyone:(OI)(CI)(R,AD)
C:\ProgramData\Application Data\Microsoft\DRM\Server>cacls .
C:\ProgramData\Application Data\Microsoft\DRM\Server
NT AUTHORITY\SYSTEM:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
Everyone:(OI)(CI)(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_READ_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_READ_ATTRIBUTES
Windows XP
C:\Documents and Settings\All Users\Application Data\Microsoft\DRM\Server>icacls
Everyone:(OI)(CI)(AD,RA)
BUILTIN\Administrators:(I)(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
C:\Documents and Settings\All Users\Application Data\Microsoft\DRM\Server>cacls .
C:\Documents and Settings\All Users\Application Data\Microsoft\DRM\Server
Everyone:(OI)(CI)(special access:)
FILE_APPEND_DATA
FILE_READ_ATTRIBUTES
BUILTIN\Administrators:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
Key:
OI: Object Inherit
CI: Container Inherit
F: Full Access
R: Read-only access
AD: Append data/add subdirectory
RA: Read attributes