none
Restricted access to AD RMS services RRS feed

  • Question

  • Hi,

    I would like to restrict access to AD RMS service to some specific user group. I am using it to protect MS office documents. So I don't want other users who have MS office Pro installed to use the Restrict document option to encrypt the documents.I know they can atleast use the default option to restrict documents. What is the best way to achieve it? Should i only give access to authorised users on the server and restrict all other users?

    Vivek

    Monday, October 13, 2014 12:00 AM

All replies

  • Hi,

    All users that can read ADRMS SCP will automatically be able to "see" the URL of the ADRMS cluster and will try to contact that server when user tries to protect a document.

    You can play around with Permissions on SCP to allow Read to only users or groups of your choice. Remember to not to remove all permissions, unless you make sure that Domain Admins have a Read/Write permissions assigned manually. If you don't do, and you remove all default permissions, you will have troubles to reconfigure permissions as a Enterprise/Domain Admin because you had removed that permission...

    To view the SCP, connect to the configuration container in ADSI Edit and navigate the following nodes: CN=Configuration [server name], CN=Services, CN=RightsManagementServices, CN=SCP. Right Click on the CN=SCP and go to Security tab.

    Also, you can leave SCP as is and set Read access only to groups or users of your choice for the following files on each of RMS cluster nodes:

    • c:\Inetpub\wwwroot\_wmcs\_wmcs\licensing\license.asmx
    • c:\Inetpub\wwwroot\_wmcs\_wmcs\Certification\certification.asmx 

    In that case, users will be able to see ADRMS cluster URL (using SCP), but will not be able to generate RAC and CLC because of the permissions on the above files. There will be an error window once they try to protect document using f.e. Microsoft Word.


    Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.

    Friday, October 24, 2014 7:38 PM