Exclude Users

Applies To: Windows Server 2008 R2, Windows Server 2012

You can exclude a user account from obtaining use licenses from an Active Directory Rights Management Services (AD RMS) cluster by specifying either the user's e-mail address or the public key string of the rights account certificate (RAC) associated with the user's RAC.

Users who are not allowed to consume rights-protected content but have e-mail accounts in your Active Directory Domain Services (AD DS) forest should be excluded by their e-mail addresses.

If a user is trusted but his or her AD RMS credentials are compromised, you can exclude only the compromised RAC by excluding its public key. When you do this, AD RMS denies new use license requests that involve that RAC. After you exclude a RAC, the next time that user attempts to acquire a use license for new content, the request will be denied. To acquire a use license, the user will have to retrieve a new RAC with a new key pair.

If you need to exclude external users, such as Windows Live ID users, federated users, and users identified by a trusted user domain, who are not part of your AD DS forest, you can also specify a RAC to exclude their public keys.

If you add a user to the exclusion list of the AD RMS root cluster, you should also exclude the user on all licensing-only clusters in your organization. Each AD RMS cluster has independent exclusion lists.

Membership in the local AD RMS Enterprise Administrators , or equivalent, is the minimum required to complete this procedure.

To exclude a user

  1. Open the Active Directory Rights Management Services console and expand the AD RMS cluster.

  2. In the console tree, expand Exclusion Policies and then click Users .

  3. In the Actions pane, click Enable User Exclusion.

  4. In the Actions pane, click Exclude user . The Exclude User Account wizard appears.

  5. Do one of the following:

    • To exclude a user by e-mail address, click the Use this option for excluding rights account certificates of internal users who have an Active Directory Domain Services account option, and then click Browse to browse to a user or group in your Active Directory Domain Services directory or type the e-mail address of the user to be excluded.

    • To exclude a user by the public key assigned to the user's rights account certificate, click the Use this option for excluding rights account certificates of external users who do not have an Active Directory Domain Services account option, and then type the appropriate rights account certificate public key string in the Public key string box.

  6. Click Finish .

To stop excluding users

  1. Open the Active Directory Rights Management Services console and expand the AD RMS cluster.

  2. In the console tree, expand Exclusion Policies , and then click Users .

  3. Do one of the following:

    • To disable user exclusion for all user accounts. In the Actions pane, click Disable User Exclusion . All user accounts previously excluded will be able to acquire AD RMS use licenses.

    • To stop excluding a specific user account. In the results pane, select the excluded user certificate.

  4. In the Actions pane, click Delete , and then click Yes to confirm the removal.

Additional considerations

Additional reference