Exclude Users

  • Article

Applies To: Windows Server 2008

If you suspect that a user’s rights account certificate (RAC) has been compromised, you can exclude the RAC associated with that user account from obtaining use licenses from an Active Directory Rights Management Services (AD RMS) cluster. You can exclude the RAC by specifying either the user's e-mail address or the public key string of the RAC associated with the user's RAC.

When you do this, AD RMS denies new use license requests that involve that RAC. After you exclude a RAC, the next time that user attempts to acquire a use license for new content, the request will be denied. To acquire a use license, the user will have to retrieve a new RAC with a new key pair.

If you add a user or RAC to the exclusion list of the AD RMS root cluster, you should also exclude the user or RAC on all licensing-only clusters in your organization. Each AD RMS cluster has independent exclusion lists.

Note

To permanently exclude a user from obtaining use licenses, modify the discretionary access control list (DACL) of the AD RMS cluster user certification pipeline (%systemdrive%\Inetpub\wwwroot_wmcs\Certification\certification.asmx) to deny all access by the user.

Membership in the local AD RMS Enterprise Administrators, or equivalent, is the minimum required to complete this procedure.

To exclude a user’s RAC

  1. Open the Active Directory Rights Management Services console and expand the AD RMS cluster.

  2. In the console tree, expand Exclusion Policies and then click Users.

  3. In the Actions pane, click Enable User Exclusion.

  4. In the Actions pane, click Exclude user. The Exclude User Account wizard appears.

  5. Do one of the following:

    • To exclude a RAC issued to a user by specifying the user’s e-mail address, click the Use this option for excluding rights account certificates of internal users who have an Active Directory Domain Services account option,and then click Browse to browse to a user or group in your Active Directory Domain Services directory or type the e-mail address of the user to be excluded.

    • To exclude a RAC issued to a user by specifying the public key assigned to the user's RAC, click the Use this option for excluding rights account certificates of external users who do not have an Active Directory Domain Services account option, and then type the appropriate rights account certificate public key string in the Public key string box.

  6. Click Finish.

To stop excluding users’ RACs

  1. Open the Active Directory Rights Management Services console and expand the AD RMS cluster.

  2. In the console tree, expand Exclusion Policies, and then click Users.

  3. Do one of the following:

    • To disable user exclusion for all user accounts, in the Actions pane, click Disable User Exclusion. All user accounts previously excluded will be able to acquire AD RMS use licenses.

    • To stop excluding a specific user account, in the results pane, select the excluded user certificate.

  4. In the Actions pane, click Delete, and then click Yes to confirm the removal.

Additional references