locked
ADRMS and Active Directory Security Groups RRS feed

  • Question

  • I'm setting up a demo environment following the step by step guide in technet, http://technet.microsoft.com/en-us/library/cc753531(WS.10).aspx . Everything worked fine. At the end of the validation, I secure a document with permissions for a universal security group. That worked well, however if later I add users to that security group, those users cannot open the file. Also, if I remove users previously in the group before the file was created, they still can access the file after being removed from the security group. Is this the expected behavior? Or may I being doing something wrong? I tried this twice already. The only differences between my test and the guide are that in the guide an independent SQL Server is used, I use Windows Internal Database in the same member server where I installed the ADRMS Role. The other difference is that my test client is Windows XP instead of Vista.

    Any ideas? thanks in advance.

    Tuesday, April 19, 2011 8:35 PM

Answers

  • Hi David,

    That worked well, however if later I add users to that security group, those users cannot open the file.

    This probably due to AD replication issues, ensure all DC are in sync and the user has done a log off / log in post the group change.

    Also, if I remove users previously in the group before the file was created, they still can access the file after being removed from the security group. Is this the expected behavior?

    Well yes it's somewhat an expected behaviour, as once the protected file has been opened the licenses are cached and the user should be able to open the file even if he is offline . Plus need to ensure once againg all DC are in sync and the user has done a log off / log in post the group change.

    To strictly enforce these settings you need to enable the "Require a connection to verify a user's permissions" option in Word. In which case the everytime the protected document is opened it will try to contact the RMS server.


    Blog Link: http://blogs.cyquent.ae | Follow us on Twitter: @cyquent

    Wednesday, April 20, 2011 6:56 AM