locked
RMS security for files RRS feed

  • Question

  • Hi,

    We are using RMS in one of the SharePoint libraries in 2013 site.  I wanted to know if the RMS configuration can be utilized for:

    • File servers.
    • Devices (mobiles, tablets).

    Regards,

    Pradeep.


    Shonilchi..

    Thursday, April 16, 2015 1:16 PM

All replies

  • Hi, 

    Azure Rights Management (Azure RMS) can protect your company’s sensitive information in all these scenarios. It uses encryption, identity, and authorization policies to help secure your files and email, and it works across multiple devices—phones, tablets, and PCs.

    You can use Azure RMS to automatically protect files on file servers that run at least Windows Server 2012 and are configured to use File Classification Infrastructure.

    For more detailed information, refer to the following article:

    https://technet.microsoft.com/en-us/library/jj585026.aspx

    Best Regards,

    Lisa Chen


    TechNet Community Support
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, April 20, 2015 7:34 AM
  • This is great.  Thanks a lot Lisa!

    Have a query on our current state in our farm:  We were in ABC domain when in SharePoint 2010.  When in SharePoint 2013, we are shifting to DEF domain.  Also, we have licenses for DEF domain users (we are in the process of migrating the 2010 farm to 2013).  So, could we restrict RMS to be utilized for ABC domain only or DEF domain users only?

    Regards,

    Pradeep.


    Shonilchi..

    Monday, April 20, 2015 12:39 PM
  • Hi,

    AD RMS uses AD DS to identify users and distribution groups. When an organization’s AD DS deployment includes multiple forests, AD RMS uses AD DS contact objects to obtain the identities of users and groups that are part of a different forest than the AD RMS cluster. The problem is that user or group objects from other forests do not typically have representative objects that are in the forest where AD RMS resides. If you intend to use AD RMS to restrict permissions to users or groups who are from other forests, you need to configure your Active Directory forest appropriately to allow group expansion to occur across forests.

    You can implement group expansion support across forests for AD RMS in two ways:

    1. Deploy an AD RMS cluster into the forest where the groups are defined, and where it will be used to expand the membership of these groups. AD DS Universal groups should be used so that the group membership is replicated to every global catalog server in the forest. Schema extensions must exist in forests that contain contact objects that allow the schema extensions to point back to the forests that contain the actual objects. If schema extensions are not used, client registry overrides are required.
    2. Synchronize group definitions among forests to allow the local AD RMS installation to determine the complete group membership for any user. If the user who is requesting a use license has a Windows account in a separate forest, there also must be a contact object in the local forest to represent that user’s group membership.

    The reference: AD RMS Prerequisites: https://technet.microsoft.com/en-us/library/dd772659%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    Best Regards,

    Lisa Chen


    TechNet Community Support
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Proposed as answer by Eric Tao Thursday, May 7, 2015 3:04 AM
    Wednesday, April 29, 2015 6:20 AM