locked
RMS User RRS feed

  • Question

  • hi

    I want implemented RMS 2008 , How can i limit some of users that they can only read a secured document with RMS and they canot generate a secured document with RMS.

     thankyou

    Thursday, January 19, 2012 6:48 AM

Answers

  • You can change the ACL on the c:\inetpub\wwwroot\_wmcs\licensing\publish.asmx file to remove the machine\users group, and create a group in your AD that contains users you want to be able to create content, and add them with Read/Read+Execute rights to that file.

    Once you've done this, only users that are members of that AD group you specified will be able to create content. Keep in mind that if a user has "already" obtained a CLC file, then they don't need to connect to publish.asmx to obtain one for a full year typically...so make sure you clear your users DRM folder, before you try again.

    No Access to Publish.asmx = No CLC = No Publish Content.

    -Jason



    Thursday, February 23, 2012 6:22 PM
  • @morva : He means the file system permissions on the publish.asmx file. If the user cannot call this webservice they cannot obtain and CLC and cannot author content.
    Thursday, March 8, 2012 3:40 AM

All replies

  • Hi,

    At least for Office there is a way. For other applications supporting RMS this might not be true:
    The Office Standard versions are only capable of consuming RMS content but cannot create it.

    To limit a Professional version to behave like a Standard version there is a Registry Key for Office IRM:
    http://blogs.technet.com/b/rmssupp/archive/2006/12/29/all-you-can-eat-office-registry-keys-for-irm-and-a-bag-of-chips.aspx

    Disable creation of IRM content
    Location:HKCU\Software\Microsoft\Office\12.0\Common\DRM
    DWORD:DisableCreation
    Value:
    If DisableCreation is non-zero, then an Enterprise Install will act just like a Standard install. Users cannot create IRM content or edit the rights on a doc, but they can consume previously created content.
    Description:
    This regkey makes a Enterprise Professional version of Office behavior like a Standard copy. In this state, users can consume rights managed content, but cannot create new managed content or edit the permissions on existing content.
    Exists in Office 11:No
    Exists in Office 12:Yes
    Can Be Set by GPO in Office 11:No
    Can Be Set by GPO in Office 12:Yes
    GPO Path and Name:
    User Configuration\Microsoft Office 2007\Manage Restricted Permissions\Prevent users from changing permissions on rights managed content.

    Office 2010 also supports this and the path would be 14.0 instead of 11.0 or 12.0.

    Also I suggest to use the Policies hive in the Registry:

    Many Feature Control keys can also be controlled by network administrators by using Group Policy. When a group policy is modified, a value similar to the one above is written to the policy hive in the Windows registry. Because Feature Controls can be configured in multiple places, Internet Explorer will look for values in the following order of precedence:

    • HKEY_LOCAL_MACHINE policy hive (administrative overrides)
    • HKEY_CURRENT_USER policy hive
    • HKEY_CURRENT_USER preference hive
    • HKEY_LOCAL_MACHINE preference hive (system default settings)

    But I think the ADM(X) files for Office do this anyway.

     

    Regards

    CHacker

    Thursday, January 19, 2012 8:40 AM
  • hi

    tanks for answer, I got used to the way you said but user are still able to creation document .

    Tuesday, February 21, 2012 6:42 AM
  • You can change the ACL on the c:\inetpub\wwwroot\_wmcs\licensing\publish.asmx file to remove the machine\users group, and create a group in your AD that contains users you want to be able to create content, and add them with Read/Read+Execute rights to that file.

    Once you've done this, only users that are members of that AD group you specified will be able to create content. Keep in mind that if a user has "already" obtained a CLC file, then they don't need to connect to publish.asmx to obtain one for a full year typically...so make sure you clear your users DRM folder, before you try again.

    No Access to Publish.asmx = No CLC = No Publish Content.

    -Jason



    Thursday, February 23, 2012 6:22 PM
  • hi jason

    tanks for answered , publish.asmx file is empty and i dont find anything about  define ACL on this file in Internet !

    and i have another quesion : i have a third party for CAD files what's your suggestion ?

    gigatrust and foxit couldn't suport orginal CAD file only cad viewer supported. but i don't any idea about liquid machine.

    please help me!

    tahks

    Tuesday, March 6, 2012 7:00 AM
  • @morva : He means the file system permissions on the publish.asmx file. If the user cannot call this webservice they cannot obtain and CLC and cannot author content.
    Thursday, March 8, 2012 3:40 AM