Two Outlook Profiles with Windows Rights Management Services

Q: Some of our managers have two Exchange Server mailboxes that are linked to two different Active Directory accounts. To reduce the number of Windows logon/logoffs, our IT staff has configured two Outlook profiles (one for each mailbox) on the managers' workstations, so the managers are prompted which mailbox to open when starting Outlook. Will this solution also allow the managers to access Windows Rights Management Services–protected email messages in both mailboxes without logging off and logging on to Active Directory?

A: No, this two-profile solution won't allow managers to seamlessly access Windows Rights Management Services (RMS)-protected content in both mailboxes. This is because RMS uses a specific set of Active Directory (AD) credentials—the credentials of the user that's currently logged on—when the RMS Client Licensor Certificate (CLC) and End User License (EUL) are created. The CLC and EUL are created when a user attempts to access RMS-protected content and authenticates to the RMS server. Both artifacts are cached in the RMS folder that's in the user profile folder of the logged on user.

When a manager switches to his other mailbox, by default he won't be able to use his other AD account to open messages that are protected with RMS. He will encounter an "unexpected error" because the CLC and EUL used by RMS still refer to his other AD account.

You can work around this limitation by forcing re-authentication each time another mailbox is accessed and by cleaning the RMS cache in the user account's profile. To force re-authentication, you must change the security options in Internet Explorer. To do so, select Internet options from the IE Tools menu, select the Security tab, and remove the RMS URL from the Local intranet or Trusted sites security zones. This will enable RMS to prompt the exact user account for AD credentials.

To clear the RMS folder in the user account's profile, you can create a batch file that calls on the following command:

del %userprofile%AppDataLocalMicrosoftDRM* /F /Q

Your managers must then run this batch file each time they switch to another Outlook profile.