Understanding AD RMS Exclusion Policies
Applies To: Windows Server 2008 R2, Windows Server 2012
You can implement exclusion policies to deny certain entities the ability to acquire certificate and license requests There are three ways to exclude these entities: by user, by application, and by lockbox version.
When an entity is excluded, use licenses that are created by servers in the AD RMS cluster will have that entity specified in the exclusion list. If, after a period of time, you decide to remove an entity that you have previously included in an exclusion policy, you can delete the entity from the exclusion list. Any new certification or licensing requests will not consider this entity as excluded.
We recommend that you do not remove an entity from an exclusion policy until you can be sure that all of the certificates issued before the exclusion policy was created have expired. Otherwise, both the old certificates and the new certificates will allow the content to be decrypted, which might not be what your organization wants.