locked
Only explicit users assigned to Rights Policy Templates working, not groups. RRS feed

  • Question

  • Hi,

     

    I have a 2 node Root AD RMS cluster with a few Rights Policy templates (RPTs). These AD RMS servers are installed on Win 2008 R2 Enterprise servers.

    The RPTs work fine and allow users to decrypt encrypted email if their email address is individually specified in the "User Rights" section of the RPT. If I use a group though the user does not have rights. I have tried Universal Distribution groups, and mail enabled Universal Security groups to no avail. As soon as I add the user back in individually, the email can be decrypted, and stays encrypted.

    Our domains are setup as so:

    ROOT.com (root domain)
    e.ROOT.com (child resources domain - distribution list is on here, AD RMS, Exchange servers are Member Servers on this domain)
    d.ROOT.com (child user domain - user accounts)
    c.ROOT.com (child user domain 2 - user accounts)

    So basically I have a Universal DL or mail-enabled SG on e, with d and c user accounts as members of the group. I apply the email address of the DL or mail-enabled SG to the RPT and the users do not get permissions.

    I have to run a pilot of this on clients in a couple days, so unless I figure this out before then I will be adding the individual user accounts to the RPT, but this can't be a final solution...



    • Edited by phatmike128 Monday, June 3, 2013 12:40 AM removed domains
    Monday, June 27, 2011 5:40 AM

Answers

  • Thanks Adnan. The pilot went ahead okay.

    After a day we needed to add a new user to the group. This client did not get the correct Rights Account Certificate allowing her to decrypt email content on the same day, even though she had full permission set on the RPT. The next day it worked, so we realised that this depends on the client updating the exchange GAL to work correctly. We have noted this replication delay of approx 24 hours for our provisioning processes.

    • Marked as answer by phatmike128 Tuesday, July 12, 2011 1:47 AM
    Tuesday, July 12, 2011 1:47 AM

All replies

  • Hi

    This should be a wroking scenario, it's seems strange that you are having this issues.

    To start troubleshooting :

    1. can you verify that the active directory replication is functioning correctly, add a user to a mail enabled security group and force replication thru the forest.
      Verify on the workstation gpresult /v and check if the user is listed in the group
    2. Patch the workstation completely including Office service packs and hotfixes
    3. Log off and log in with the test user after adding to a group

    Plus verify that all testing components are on the same level, e.g. workstation's OS, service pack, hotfixes, Office service pack hotfixes

    Hope this helps.

     


    Blog Link: http://blogs.cyquent.ae | Follow us on Twitter: @cyquent

    Tuesday, June 28, 2011 1:25 PM
  • Hi,

    I played around with this some more today and it works, somehow...

    I don't know what was happening yesterday but it wasn't working at all that's for sure.

    I even have it working with my original distribution groups on the DOC child domain, which it didn't seem to be originally.

    I was constantly deleting the RAC content under C:\documents and settings\username\local settings\application data\microsoft\drm and logging in and out with a couple test accounts to regenerate and force it to pull down new RACs. Is there any other data that should be deleted when testing over and over with different AD accounts and RPT User rights?

    I will let you know how I go with the pilot group tomorrow night. Hope it works!

    Tuesday, June 28, 2011 1:35 PM
  • Thats good to hear, I believe must be a AD replication issue. Just ensure you giv sufficient time after making changes to a Group's properties or force replication thru the forest using replmon or repadmin

    Blog Link: http://blogs.cyquent.ae | Follow us on Twitter: @cyquent

    Wednesday, June 29, 2011 8:38 AM
  • Thanks Adnan. The pilot went ahead okay.

    After a day we needed to add a new user to the group. This client did not get the correct Rights Account Certificate allowing her to decrypt email content on the same day, even though she had full permission set on the RPT. The next day it worked, so we realised that this depends on the client updating the exchange GAL to work correctly. We have noted this replication delay of approx 24 hours for our provisioning processes.

    • Marked as answer by phatmike128 Tuesday, July 12, 2011 1:47 AM
    Tuesday, July 12, 2011 1:47 AM