Excluding Users

  • Article

Updated: October 22, 2009

Applies To: Windows Server 2008 R2, Windows Server 2008 R2 with SP1

If you suspect that a user’s rights account certificate (RAC) has been compromised, you can exclude the RAC associated with that user account from obtaining use licenses from an Active Directory Rights Management Services (AD RMS) cluster. You can exclude the RAC by specifying either the user's e-mail address or the public key string of the RAC associated with the user's RAC.

When you do this, AD RMS denies new use license requests that involve that RAC. After you exclude a RAC, the next time that user attempts to acquire a use license for new content, the request will be denied. To acquire a use license, the user will have to retrieve a new RAC with a new key pair.

If you add a user or RAC to the exclusion list of the AD RMS root cluster, you should also exclude the user or RAC on all licensing-only clusters in your organization. Each AD RMS cluster has independent exclusion lists.

Note

To permanently exclude a user from obtaining use licenses, modify the discretionary access control list (DACL) of the AD RMS cluster user certification pipeline (%systemdrive%\Inetpub\wwwroot_wmcs\Certification\certification.asmx) to deny all access by the user.

Membership in the local AD RMS Enterprise Administrators, or equivalent, is the minimum required to complete this procedure.

To enable user RAC exclusion

  • At the Windows PowerShell command prompt, type:

    Set-ItemProperty -Path <drive>:\ExclusionPolicy\User -Name IsEnabled -Value $true

To exclude a user’s RAC

  • Do one of the following:

    • To exclude a user’s RAC by specifying the user’s e-mail address, at the Windows PowerShell command prompt, type:

      New-Item -Path <drive>:\ExclusionPolicy\User -Name <user_name>@<domain>

      where <drive> is the name of the Windows PowerShell drive, <user_name> is the user name of the user whose RAC is being excluded, and <domain> is the domain portion of the e-mail address of the user whose RAC is being excluded.

    • To exclude a user’s RAC by specifying the user’s RAC public key, at the Windows PowerShell command prompt, type:

      New-Item -Path <drive>:\ExclusionPolicy\User -PublicKey “<key>

      where <drive> is the name of the Windows PowerShell drive, and <key> is the user’s RAC public key.

To stop excluding a user’s RAC

  1. At the Windows PowerShell command prompt, type:

    Get-ChildItem -Path <drive>:\ExclusionPolicy\User

    where <drive> is the name of the Windows PowerShell drive. Note the ID of the user whose RAC you want to stop excluding.

  2. At the Windows PowerShell command prompt, type:

    Remove-Item -Path <drive>:\ExclusionPolicy\User\<user_ID>

    where <drive> is the name of the Windows PowerShell drive, and <user_ID> is the ID of the user you found in the previous step.

See Also

Concepts

Using Windows PowerShell to Administer AD RMS
Understanding the AD RMS Administration Provider Namespace
Enabling Exclusion Policies

Other Resources

Understanding AD RMS Exclusion Policies