GreetingsHere are two use-cases that mis-function, due to RMS caching:Test-case 1: a user has access to a document that is RMS-protected via a RMS template, that specifies a group-membership. Once the user is removed from the group, one expects that this user would lose access.Test-case 2: a user does not have access to a document that is protected via a RMS template, that specifies a group-membership. Once the user is added to the group, one expects that this user would gain access.The problem is documented at a few places (all related to Microsoft): by default RMS caches group membership for 720 mn (12 hours). There are at least two complementary ways to disable this caching: one in the registry of the RMS Server, and one on the RMS Server's configuration database:http://blogs.technet.com/rmssupp/archive/2007/05/11/troubleshooting-your-rms-server-and-group-membership.aspxhttp://rmsexpertise.blogspot.com/2007/02/rms-caching.htmlI have done both and still the caching is still active, despite all the recommended actions (reset IIS, even reboot of the RMS server and RMS client machines). The cache is still very sticky, until I change the systemclock appropriately.One of the posted comment from MS recommended to troubleshoot at the system-calls level, using DebugView, which I'd prefer to avoid... Any suggestion?Many thanksJean-Paul Buu-Sao

GreetingsThe answer to my own post was to use "Universal-Distribution Groups" instead of "Global-Security Groups". Jason Tyler, in his post referred above, recommended using the former, although "for cross-domain scenarios" reasons. This is why I disregarded this recommendation. Well, this makes a difference, even in a single-domain scenario!Conclusions so far:if you have the correct setting for disabling caches (see my post above) and the policy template specifies "Require a new use license each time content is consumed" and if the group referred by the template is a Universal-Distribution groupthen the group-membership will be re-evaluated everytime the RMS client needs to verify access.if you have the correct setting for disabling caches (see my post above) and the policy template specifies "Require a new use license each time content is consumed" and if the group referred by the template is aGlobal-Security groupthen the group-membership will be evaluated once and maintained in cache(s) somewhere (?).Q1 Do RMS experts concur with these conclusions?Q2 What are the reasons for this difference of behaviour? 1. Is it RMS SP2 which establishes a difference between types of groups with respect to caching behaviour, or 2.Is it ADwhich expands differently, maybe in relation tothe functional level?Q3 Can the folks having done the experience with W2008/RMSv2 share their findings?Any clue, pointer, will be much appreciated.ThanksJean-Paul Buu-Sao