Excluding Rights Account Certificates

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

If a user is trusted but his or her RMS credentials are compromised, you can exclude the user’s rights account certificate by excluding its public key. When you do this, RMS denies new use license requests that involve that rights account certificate. After you exclude a rights account certificate, the next time that user attempts to acquire a use license for new content, the request will be denied. To acquire a use license, the user will have to retrieve a new rights account certificate with a new key pair.

Rights account certificates can be excluded by using the Exclusion policies page of the administration Web site. When you exclude a user’s rights account certificate, RMS adds the excluded key, the user’s account name, as well as the date and time of the exclusion to the DRMS_GicExclusionList table of the configuration database for the root cluster. This information is also displayed on the administration Web site’s Exclusion policies page. In addition, RMS deletes both the public and private keys that are associated with the excluded account certificate form the UD_Users table of the configuration database.

To exclude a rights account certificate that is on the root cluster, specify the user’s domain account on the Exclusion policies page of a server that is a member of the root cluster. You should exclude a rights account certificate across subenrolled servers on each server’s administration Web site. To exclude a user on a subenrolled licensing-only cluster, enter the public key value for the rights account certificate on the Exclusion policies page of a server that is a member of the licensing-only cluster's administration Web site. This value can be obtained from the Exclusion policies page of the root certification cluster’s administration Web site.

To simplify rights account certificate exclusion throughout a multiple-cluster RMS deployment, you can replicate the DRMS_GicExclusionList table from the configuration database of the root cluster to the configuration database of each licensing-only cluster. If you do this, you do not have to manually enter the public key value on each cluster.