In this post, we would see how to create RMS templates, Distribute them across the organization and Use them.
Configure GPO RMS Settings – Configure Office RMS Settings
a. Log on to AD Server as <Domain>\Administrator
b. Click Start, Run, and type GPMC.MSC
c. Click Group Policy Objects, and then right-click the GPO called ISD – Configuration Settings v1.0 and then select Edit.
d. Click the User Configuration\Policies\Administrative Templates \Classic Administrative Templates (ADM)\Microsoft Office 2007 System, and then click Manage Restricted Permissions.
e. In the details pane, double-click Specify Permission Policy Path, click Enabled, and then type \\FQDN of AD Server\ADRMSTemplates as the path. Click OK.
f. Close all Windows
g. Log off.
Prepare the AD RMS Server to Share the Rights Policy Templates (for XP)
a. Log on to AD Sever as Domain\Administrator
b. Click the Start menu, and then click Computer.
c. Create a folder called ADRMSTemplates in the Root Directory (C:\).
d. Right-click the ADRMSTemplates folder and select Share…
e. In the ADRMSTemplates Properties Windows, assign the following permissions, and then click the Share button:
· Add Everyone as reader,
· Add ADRMSSvc as Co-owner
f. Click Done when finished.
g. Close the Windows Explorer.
Create a standard rights policy template.
a. Open the MMC Console called AD RMS located in the Administrator Desktop.
b. Expand Active Directory Rights Management Services, expand xxxxx, and select Rights Policies Templates.
c. Click the Change distributed rights policy templates file location, select Enable Export, and then specify \\<FQDN of AD Server>\ADRMSTemplates\ and click OK.
d. Click Create distributed rights policy Template.
e. On the Create distributed rights policy Template window click Add, in the Template name field, type XXXX Confidential – Read Only.
f. Type the following in the Template description field:
This is a template used to assign read-only rights to the content it is protecting.
g. Click Add and then Click Next.
h. On the Users and Rights click Add
i. In the Add users or groups field, type AllUsers@xxxxx.com, and then click Add.
j. Select AllUsers@xxxxx.com and select the View and View Rights check boxes.
k. In the Rights request URL field, type mailto:email@example.com.
l. Click Finish.
Create a custom rights policy template.
a. Click the Create distributed rights policy Template link
The Rights policy template settings page appears.
b. On the Create distributed rights policy Template window click Add, in the Template name box, type xxxxxx – Financial Department.
c. In the Template description box, type “This Document is for xxxxx Financial Department Employees use only”.
d. Click Add and then click Next.
e. Click the Add… button.
f. In the Add users or group field type firstname.lastname@example.org, click OK.
g. In the Add users or groups, click Add, type FinancialUsers@xxxxx.com. Click OK.
h. Select Financialusers@xxxxx.com and then enable the following rights:
· View Rights
· Export (Save as)
· Reply All
i. Select email@example.com and then enable the following rights:
· View Rights
· Export (Save as)
· Reply All
j. Click Finish
k. Repeat the steps A to I for the Sales Department with the email address: SalesUsers@xxxxx.com
l. Log off.
Note – Sales Users and Financial Users are security groups in AD. You can specify your own groups. But ensure that the email address field in the Group/user property in AD is populated.
Configure Offline Folders for Rights Policy Templates Path for XP
a. Log on to AD Server as Administrator
b. Click the Start menu, then click Run, next type gpmc.msc and press Enter
c. Expand Root node
d. Expand the Domains node.
e. Expand the xxxx node and then click Group Policy Objects.
f. Right-click XP – AD RMS Clients GPO and then click Edit
g. In the Group Policy Object Editor, expand the User Configuration node, then Policies, then Administrative Templates, then Network, then Offline Files, and then proceed to configure the following information
Synchronize all offline files when logging on
Action on server disconnect
Enabled, and select Work offline as the action
Non-default server disconnect actions
Enabled, click Show, and use the Add… button to add Name with \\<FQDN of AD Server>\ADRMSTemplates, and Value with 0
Administratively assigned offline files
Enabled, click Show, and use the Add… button to add Name with \\<FQDN of AD Server>\ADRMSTemplates (DON’T assign any data to the Value option)
The objective of above step is to cache the templates so that they are available even if the user is in disconnected mode or not in Organization’s LAN.
Follow the steps below in case you use Windows 2008 AD
h. Click on User configuration => Preferences => Windows settings => Registry
i. On right hand pane, right click and select new => Registry item
j. In General tab of New registry properties, Select Action as New.
k. In Hive, Select HKEY_CURRENT_USER, in Key Path please browser to Software\Microsoft\Office\11\Common\DRM
Please note – 11 is for Office 2003 and 12 for office 2007.
l. In Value name, type AdminTemplatePath (default should not be selected)
m. In Value type, select REG_EXPAND_SZ
n. In Value data, key in \\<FQDN of AD Server> \ADRMSTemplates
o. Close the Group Policy Object Editor and then the Group Policy Management console.
p. Log off.
Follow the steps below in case you use Windows 2003 AD
h. Open registry editor on a system where RMS Client is installed
i. Browse to HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common
j. Create Key called DRM
k. Select DRM and right-click on the right hand pane to create New è Expandable String Value
l. Provide Name as “AdminTemplatePath”
m. Provide data as \\<FQDN of AD Server> \ADRMSTemplates
n. Now right click the DRM key and select option export.
o. Save the file as Templatepath.reg in ADRMS templates folder itself.
p. Go to AD, open Group Policy Editor, and create logon script –
Go to User Configuration => Windows Settings => Scripts (Logon/Logoff) => Logon
q. Define logon script to call the registry editor to import the templatepath.reg file using below mentioned command.
regedit.exe /s \\ADserver\shared_folder\file.reg
ADserver – your AD server name
Shared_folder – shared folder name
File.reg – extracted reg file.
Now when the users logon to AD, the logon script would execute the reg file to create/update AdminTemplatePath to point to ADTemplates folder shared on ADRMS Server. The initial steps would ensure that the template files are available offline.
Configure the rights policy templates path for Windows Vista
a. On the Group Policy Management console, expand the xxxxx node and then click Group Policy Objects.
b. Right-click the right panel and select New.
c. On New GPO, type VISTA – AD RMS Clients, and click OK.
Right-click VISTA – AD RMS Clients GPO and then click Edit.
d. On Group Policies Management Editor, under Computer Configuration, expand Policies, then right-click Administrative Templates.
e. Click Add/Remove Templates, and then click Add.
f. In the File name box, type \\<AD Servername>\adrms\adm\, select the office12.adm, and then click Open.
g. Click Close to close the Add/Remove Templates dialog box.
h. Click the User Configuration\Policies\Administrative Templates \Classic Administrative Templates (ADM)\Microsoft Office 2007 System, and then click Manage Restricted Permissions.
i. In the details pane, double-click URL for location of document templates displayed when applications do not recognize rights-managed documents, click Enabled, and then type %localappdata%\Microsoft\DRM\templates\ and click OK.
j. Close the Group Policy Management Editor window.
k. On the left panel, right-click WMI Filters, and select New…
l. On New WMI filter, on Name box, type “OS Vista”, and on Description box, type “Only target computers running Vista Professional”.
m. Click Add.
n. In the WMI Query window, on Namespace box, verify the value root\cimv2, and under Query type the following line:
select * from Win32_OperatingSystem where Version like "6.0%"
o. Click OK and then click Save.
p. Expand Group Policy Objects, and select VISTA – AD RMS Clients GPO. On the right panel, under WMI Filtering, click the drop-down box and select OS Vista.
q. In the Group Policy Management window, click Yes.
r. On the left panel, right-click on xxxxxx and select Link an Existing GPO…
s. On the Select GPO window, select Vista – AD RMS Clients, and click OK.
t. On the right panel, right-click Vista – AD RMS Clients link, select Enforced, and click OK.
u. Close all windows.
v. Log off AD Server
w. Log on to Client machine as <Domain_name>\Administrator
x. On the Start menu, type Task Scheduler, and then press Enter.
y. In the Task Scheduler window, in the console tree, expand Task Scheduler Library, then expand Microsoft, expand Windows, and click Active Directory Rights Management Services Client.
z. In the details pane, click AD RMS Rights Policy Template Management (Automated), and then review the schedule task properties.
The AD RMS client requests rights policy templates from the AD RMS cluster by using a scheduled task, which is configured to query the template distribution pipeline on the AD RMS cluster. Two scheduled tasks are available on computers running Windows Vista SP1: one automated and one manual. The automated scheduled task is configured to run up to one hour after a user logs on to the computer and every morning at 3:00 A.M., but this scheduled task is disabled by default. You can enable and change the default configuration by using the Task Scheduler control panel.
aa. In the Actions pane, click Enable.
bb. In the Actions pane, click Properties.
cc. In the AD RMS Rights Policy Template Management (Automated) Properties dialog box, click the Triggers tab.
dd. Click At logon, and then click Edit.
ee. In the Delay task for list, click 30 Seconds. Click OK twice.
In the lab environment, you want this task to execute shortly after logon, but after group policies are enforced on the computer. In a production environment, the one-hour delay should work for most implementations, and the settings can be deployed using Group Policy.
ff. Close all open windows.
Protect the MS Word document using the template
a. Log on to Client machine as Enduser
b. Start Microsoft Office Word 2007 proplus or Word 2003 professional.
c. Type the following text in the new document: This is a document that should not be altered by anyone besides the author.
d. On the Office menu, select Prepare and then Restrict Permission.
e. Confirm that you can see the templates listed, and select xxxx Confidential – Read Only.
f. Save the file as xxxxx Confidential.docx.
g. Log off of Client machine.