locked
How can I prevent files from being copied by specific users using ADRMS? RRS feed

  • Question

  • Hello,

          I am looking for a solution in ADRMS where I can prevent one of my folder in which if specific group of users selects files and on right click their copy/cut option should be disebled. What steps I have to perform in order to achive this tasks.

    am using Windows 2008 R2 SP1 as DC and Windows 7 as Client

    Any help in above  issue will be appreciated.

    Nilkanth Desai

    Thursday, September 29, 2011 10:50 PM

Answers

  • Nilkanth-

    AD RMS is used to protect the contents of the file, not the actual file itself.  AD RMS won't prevent somebody from copying a protected file to another location (although it can help prevent somebody from forwarding a protected email).  AD RMS will protect a file from being viewed without proper permission.  If you've already deployed AD RMS in the environment, you can protect supported documents from within the application (Word, Excel, Outlook, etc.).  There are some step-by-step videos that walk through the protection process:

    http://technet.microsoft.com/en-us/edge/ff832960.aspx?query=1&Category=rms

    BTW - if you don't currently have AD RMS and plan to get rid of the right-click Copy/Cut options, there are other ways to copy and cut the files (command line and third-party utilities).  So, I would advise that you protect the documents with AD RMS instead (and forget about removing copy/cut options from menus).

    Brian

    Friday, September 30, 2011 4:33 PM
  • Not something ADRMS can help with here. You may want to consider application virtualization if you are trying to give access to an app, without giving access to the binaries.

    -Jason

    Friday, October 7, 2011 8:20 PM

All replies

  • Nilkanth-

    AD RMS is used to protect the contents of the file, not the actual file itself.  AD RMS won't prevent somebody from copying a protected file to another location (although it can help prevent somebody from forwarding a protected email).  AD RMS will protect a file from being viewed without proper permission.  If you've already deployed AD RMS in the environment, you can protect supported documents from within the application (Word, Excel, Outlook, etc.).  There are some step-by-step videos that walk through the protection process:

    http://technet.microsoft.com/en-us/edge/ff832960.aspx?query=1&Category=rms

    BTW - if you don't currently have AD RMS and plan to get rid of the right-click Copy/Cut options, there are other ways to copy and cut the files (command line and third-party utilities).  So, I would advise that you protect the documents with AD RMS instead (and forget about removing copy/cut options from menus).

    Brian

    Friday, September 30, 2011 4:33 PM
  • Hello Brian,

         Thanks for your reply. Can u suggest any third party tools that can perform this tasks. Actually I am protecting bunch of dlls/exes with this behaviour. Any way if u can give me names of these third party tools may be I can check. I did not install ADRMS but was planning to if this supports the case.

     

    Anyway thanks for u r reply,

     

    Nilkanth Desai

     

    Saturday, October 1, 2011 12:57 AM
  • To prevent your files from unauthorized copying, you need config NTFS access control list only. Just right click the folder, you will see the Security tab page. Remove any groups or users which you do not want them access your files in the folder.
    Saturday, October 1, 2011 3:29 AM
  • Hello Peter,

         I have already check this NTFS Security on initial stage but my issue is

    1) Users can use those dlls which remains inside the folder by the respective apps being run by users.

    2) In order to achive point 1 we need to allow read permission to user and as we allow him to read he can also copy them.

     

        So now I want a solution when apps from users machine can use those dlls but when user tries to copy them copy option should be disebled.

    Any solution will be helpful even it is third party.

     

    Nilkanth Desai

     

    Monday, October 3, 2011 6:11 AM
  • The main issue here is that read is basically the same as copy.  Imagine the file in question was test.txt.  Now imagine if a user has read access.  The user would also have copy (even if copy were a different access control entry).  Because as soon as he can open it to read it, he can save it as another file (thus copying it).

    Also, as I mentioned in my original reply, even if you hack up Windows Explorer to take away copy and cut right-click functionality, there are so many other ways to copy the files that it wouldn't be worth it.

    Brian

    Monday, October 3, 2011 4:03 PM
  • Not something ADRMS can help with here. You may want to consider application virtualization if you are trying to give access to an app, without giving access to the binaries.

    -Jason

    Friday, October 7, 2011 8:20 PM