In order for IRM to work with AD RMS on word documents, do clients need to be added into the domain?
From my testing, this seems self defeating. If I use SP IRM and grant a user view access, if they are on the domain the RMS policy takes effect and applies the appropriate restrictions. Yet, because I have given rights via SP, the user can access the document from any machine since the document library only request the appropriate authentication. Afterward the user can open the document as normal.
I would like to know if its possible to make the document completely restricted if the user is not joined on the domain or am I not configuring something correctly.
From my understanding, if you’re using IRM software, you can control access to the documents and make them completely restricted. With IRM solution, user who has the appropriate authentication can access the documents at any time from any devices and anywhere. While sharing files, it is important to keep your domain confidential.  Here is a SharePoint Webinar covers the common challenges in technical data control in SharePoint.
Thanks Trevor for the quick response.
Sorry if this comes across as a stupid question but I can’t wrap my head around the fact that why would someone need to be on the domain, if they can still access the document based on SP permissions from any computer?
In fact this makes a huge flaw in RMS since the document is still accessible whether the user is on the domain or not. It simply doesn’t apply a policy, but you can’t guarantee that the user will access the document library from a computer that is joined to the domain. So I am not sure why this would be important.
Â
Yes, the user needs to be a member of the domain and in addition have an RMS license assigned to them. You can do RMS federation, as well.
http://technet.microsoft.com/en-us/library/ee256071(v=WS.10).aspx
