How do I find which documents are protected by Active Directory Rights Management Services?

TL;DR

How do I tell, on the server, which documents are protected by AD-RMS


I inherited a small environment where Active Directory Rights Management Services is in use. The server is near end of life, and we don't want to replace it, and no longer need RMS. The issue, is that there are hundreds of documents with RMS protection on them, and I don't know how to check which documents, without opening every single one.

My fear is that the server will die, and I will find out which documents were protected, because no one will be able to open them anymore. Is there a way to quickly/easily determine which files query AD-RMS when they open, from the server?


Solution 1:

There's no simple way.

Programmatically, you can scan the files with the IpcfIsFileEncrypted Windows API function. But if your files are scattered around on many machines, then that's just something you'll have to work out on your own. AD RMS doesn't keep track of every file that it has encrypted over its lifetime.

You should go ahead and Decomission AD RMS. If the server dies or if you just rip out the AD RMS role, then whatever documents that had been encrypted with AD RMS will remain encrypted forever. AD RMS has a special "Decomissioned" mode where it offers up free decryption for everybody. It gives your users the opportunity to re-save their files without encryption. But it is not automatic.

You could also consider backing the server up if you're concerned about the server dying before you've had a chance to decrypt any important documents.

Reference material:

  • AD RMS FAQ
  • AD RMS Decommissioning Guide