Steven JW Kennedy

My Blog

Archive for February 22nd, 2011

AD RMS: Client side

Posted by Steven Kennedy on February 22, 2011

Both Windows Vista and Windows 7 come with the AD RMS client built-in. For Windows XP you’ll need to download a client, from Microsoft, and install it. In my case I’m using Windows 7 Enterprise 32bit.

Even with the client built-in there’s some configuration that has to take place before you can start using AD RMS templates.

In order to update the templates to a users local PC a scheduled job runs that copies the templates from the previously defined location, in my case \\RMS\Users\Public, to the users PC. Where these templates are located is defined in the registry. This is where I started to have some issue. For me at home it’s not a big deal. I can just use Regedit to setup the key and value. In a business environment that’s not so practical. So you’ll have to resort to defining the registry settings via Group Policy, which is where I ran in to an issue. I’ll address this a bit later on in the this post.

First off you need to enable the scheduled tasks, that’ll update the policy templates on the client PC. You do this by opening up the task scheduler, via the Control Panel.System and Security.Scheduled tasks (this for for Windows 7). You’ll then expand the Task Scheduler Library and expand down through Microsoft.Windows and then select Active Directory Rights Management Services Client. see the screen shot below.

AD_RMS_Task_Scheduler - Annotated

As you can see from the screen shot the Status for the task is Disabled. You’ll need to enable both tasks by selecting each one in turn and clicking on Enable. In my case I had to do this using an administrator account because my normal user account doesn’t have local privileges and a privileged account is required to make these changes. You can also make these changes via Microsoft’s Systems management Server or using Group Policy using the following command; schtasks /Change /TN “\Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Automated)” /ENABLE (from Microsoft TechNet posting here). I haven’t tried this yet. This same posting on TechNet tells you how to enter the registry key to point to the location on the local machine where the templates will go. It’s when I tried to use a GPO to do this that I ran in to an issue.

I decided to try using a GPO to make the relevant registry settings. So I down loaded the Office 2010 Administrative templates and applied them. I then went in to Group Policy Manager and activated the template specific for AD RMS clients and entered in the path; %LocalAppData%\Microsoft\DRM\Templates



I then logged off and back on on my client PC, to get the GPO applied. yes I know I could do it via GPUPDATE /Force but I also wanted to force the scheduled task to run. Turns out I had to do that manually or wait up to an hour for it to run.

Anyway, once I was logged back in image my surprise but that the policy propagation wasn’t working. After a bit of digging I found that the Office 2010 Administrative templates defined the key value for AdminTemplatePath as REG_SZ, where it needed to be REG_EXPAND_SZ. As there seemed to be no way to change the administrative template, I didn’t look or try that hard, I ended up using the Preference setting capability that’s now available within AD 2008. In the same GPO editor select User Configuration.Preferences.Registry and define a key, as shown in the screen shot below, by right clicking on Registry and selecting New.Registry Item


(Note! the key path is: Software\Policies\Microsoft\office\14.0\common\drm)

More posts to follow on Exchange and SharePoint and AD RMS and also what the client side sees and can do, specifically with Office 2010.

Posted in AD RMS | Tagged: | Leave a Comment »

AD RMS: Microsoft Active Directory Rights Management Service

Posted by Steven Kennedy on February 22, 2011

Ever since Microsoft came out with their Rights Management Service, now called AD RMS, I’ve been interested in using it. However, in the early days the setup and use of it was not that user friendly. Microsoft have, to a large part, taken care of that. Not only is it easier to setup and use it can be integrated with Microsoft Exchange and SharePoint. I’ll be posting separate posts about my adventures in getting AD RMS working with both Exchange 2010 and SharePoint 2010.

So, last week I installed a new virtual image with AD RMS on it. The installation of the server side of the software was pretty straight forward, I just follow the installation instructions to add the AD RMS role.

For my setup, being as it’s at home, I just used self signed certificates, which cause a number of pop-ups as you use AD RMS. More on that in later posts on using AD RMS. Suffice to say, if you have a valid certificate authority it’ll make deployment and use of AD RMS easier and less intrusive to users.

One issue I did run into is the distribution of policy templates. You not only need to define a location for the templates, that all users can get to read, but you also need to setup the clients to be able to read these templates, in order that they can make use of them. For Windows Vista and Windows 7 this is somewhat easier as the AD RMS Client is part of the Operating System. For Windows XP you have to install an AD RMS client explicitly. In my case I’m currently using Windows 7 Enterprise 32bit.

So my home setup consists of a Windows Server 2008 R2 server with the Active Directory Rights Management Service role enabled. Windows 7 client with Office 2010.

Once I’d installed RMS, and made sure it and the server had all updates applied I went and created a folder to put the RMS Policy Templates that I’d be creating. I took the easy way out and used the ‘Public’ folder on the RMS server; \\RMS\Users\Public, where RMS is the host name for the server hosting the AD RMS role. I then used the Active Directory Rights Management Services console to point AD RMS to this folder. In the console select Rights Policy Templates, indicated by the 1 on the screen shot. Then click on the link Change distributed rights policy templates file location, indicated by the 2. In my case as I’d already done this the location is shown as \\RMS\Users\Public, indicated by the 3.

Policy_Template_files_location - annotated

Once you click on Change distributed rights policy templates file location you’ll be presented with a dialog box, like the one below, to enter the location you wish to use. In the screen shot below it’s showing the location I’d already set. If you haven’t previously set a location then the Current templates file location: will be blank


Once I had this setup I could go ahead and create Policy Templates. Again, this is pretty straight forward but it’s worth noting here that to apply AD RMS to something, like an email, Word document etc. you have say who it is that’s getting the rights. This is done via email addresses. So you either have to provide explicit email addresses, of your users, or use distribution lists. You can also use Windows Live ID’s if you enabled them during installation, or even use Active Directory Federation Services if you enabled that functionality during installation. In my case I only enabled Windows Live ID. It’s seems fairly obvious that it’s best to use Distribution lists, that way you only need to update the DL’s membership without having to update the policy. Also, defining the policy with a DL means that you don’t have to re-distribute the policy every time you update the membership of the policy.

This leads to something else you should consider when setting up AD RMS. naming conventions. You should come up with something for the policy names and for any associated DL’s that the policies use. I’ll touch on this in a separate posting as this one is getting quite long as it is.

Once you have a policy template defined you can check the templates file location to see if it’s there. You can also have other users look at the location to make sure that they have read access t the location and the template files located there.

That’s the first part of making an AD RMS template available. The second piece is for the client to access it. This is where I ran in to an issue. I was able to use Word and Outlook to select a template but only the default, provided ones. The templates that I’d defined weren’t showing up. I’ll go in to that in my next post, AD RMS: Client side.

Posted in AD RMS, General, Server 2008 | Tagged: | Leave a Comment »