Table of Contents


Symptoms

Creating a Custom Template in AD RMS with no rights to forward (Do Not Forward) still allows for scenarios like the following:
  • User A sends an email to User B with “Do Not Forward”.
  • User B (Since he cannot forward this email to User C) copies the email and sends it as an attachment to User C.
  • User C can open and read this e-mail although he wasn’t given the permissions from the protector (User A).


Cause

 

A custom template that doesn’t grant the user the Forward right is not the same as the Do Not Forward Template in Outlook. In fact, the Do Not Forward template in Outlook isn't really a template at all.  Do Not Forward, as implemented in Outlook, builds a policy on the fly based on the recipients of the original email. This makes it impossible for any recipients to open the email even if it was somehow forwarded because they can't get a license to decrypt it.

 

When the Forward right is specifically not granted in a Custom Template, you still specify users in the template that will have access and ultimately that’s who has rights to decrypt and read the email. The only reliable way to use DNF (Do Not Forward) is with the built-in Outlook "Template".

Inspired by Eddie's work (and by a customer call) which tested the behavior between the Outlook feature and a custom template: Default Outlook Do Not Forward Feature vs. Custom DNF Rights Policy Template

See Also