AD RMS: How to Exclude a User Whose RMS Credentials Are Compromised
If a user is trusted but his or her RMS credentials are compromised, you can exclude the user’s rights account certificate by excluding its public key. When you do this, RMS denies new use license requests that involve that rights account certificate. After you exclude a rights account certificate, the next time that user attempts to acquire a use license for new content, the request will be denied. To acquire a use license, the user will have to retrieve a new rights account certificate with a new key pair.
Rights account certificates can be excluded by using the Exclusion policies page of the administration Web site. When you exclude a user’s rights account certificate, RMS adds the excluded key, the user’s account name, as well as the date and time of the exclusion to the DRMS_GicExclusionList table of the configuration database for the root cluster. This information is also displayed on the administration Web site’s Exclusion policies page. In addition, RMS deletes both the public and private keys that are associated with the excluded account certificate form the UD_Users table of the configuration database.
To exclude a rights account certificate that is on the root cluster, specify the user’s domain account on the Exclusion policies page of a server that is a member of the root cluster. You should exclude a rights account certificate across subenrolled servers on each server’s administration Web site. To exclude a user on a subenrolled licensing-only cluster, enter the public key value for the rights account certificate on the Exclusion policies page of a server that is a member of the licensing-only cluster's administration Web site. This value can be obtained from the Exclusion policies page of the root certification cluster’s administration Web site.
To simplify rights account certificate exclusion throughout a multiple-cluster RMS deployment, you can replicate the DRMS_GicExclusionList table from the configuration database of the root cluster to the configuration database of each licensing-only cluster. If you do this, you do not have to manually enter the public key value on each cluster.
To Exclude Rights Account Certificates
Log on to the computer with a user account that is a member of the local Administrators group.
Click Start, point to All Programs, point to Windows RMS, and then click Windows RMS Administration to open the Global Administration page.
Next to the Web site on which you want to exclude rights account certificates, click Administer RMS on this Web site.
In the Administration links area, click Exclusion policies.
In the rights account certificate exclusion area, click Enable to exclude a user’s rights account certificate.
Select the method for specifying the rights account certificate to exclude:
- To exclude the rights account certificate by user name, click User name for the rights account certificate to exclude, type the name of the user to be excluded (in the form user_name@domain_name.com), and then click Add. Use this option for excluding the rights account certificates of internal users who have Active Directory user accounts.
- To exclude a rights account certificate by its public key, click Public key string for the rights account certificate to exclude, type the appropriate rights account certificate public key string, and then click Add. Use this option for excluding the rights account certificates of external users who do not have Active Directory user accounts.
To delete an account certificate from the exclusion list, click the excluded rights account certificate in the list, and then click Delete selected public keys from the exclusion list. The user who has that specific account certificate will now be able to get a license for rights-protected content from this cluster.
To disable the exclusion of rights account certificates, click Disable.