Some of my more 'bleeding edge' readers that are playing around with 2008 may be wondering why the old AD cache setting keys that we used in RMS 1.0 no longer work with RMS 2.0. Well the reason is simple. We don't use the registry keys anymore. :)
To disable Active Directory caching (or modify the default values) here is what you do:
1.You need to access dbo.DRMS_clusterpolicies database and set following policy value to 0 (or whatever value you want):UseDirectoryServicesCacheDatabaseEnableNoRightsCachingThis will disable all database cache.
2.You can reset IIS to cleanup memory cache, or you can set following policy value to 0 in dbo.DRMS_clusterpolicies database:DirectoryServicesMemoryPrincipalCacheMaxSizeDirectoryServicesMemoryGroupIdCacheMaxSizeDirectoryServicesMemoryGroupMembershipCacheMaxSizeDirectoryServicesMemoryContactGroupMembershipCacheMaxSizeDirectoryServicesMemoryPrincipalCacheExpirationMinutesDirectoryServicesMemoryGroupCacheExpirationMinutes
…and before you ask EnableNoRightsCaching is new to ADRMS. It caches ‘No Rights’ failures, so that we can quickly tell a user who keeps trying to open content they don't have access to ‘You’ve already been told you don’t have access, punk!', without making a round trip to the DC again.
Thanks to Sarah, my compadre from CSS-Security for continually pushing me for these answers, and always keeping me entertained with new ways to put up RMS in strange scenarios.