Steven JW Kennedy

My Blog

AD RMS: Client side

Posted by Steven Kennedy on February 22, 2011


Both Windows Vista and Windows 7 come with the AD RMS client built-in. For Windows XP you’ll need to download a client, from Microsoft, and install it. In my case I’m using Windows 7 Enterprise 32bit.

Even with the client built-in there’s some configuration that has to take place before you can start using AD RMS templates.

In order to update the templates to a users local PC a scheduled job runs that copies the templates from the previously defined location, in my case \\RMS\Users\Public, to the users PC. Where these templates are located is defined in the registry. This is where I started to have some issue. For me at home it’s not a big deal. I can just use Regedit to setup the key and value. In a business environment that’s not so practical. So you’ll have to resort to defining the registry settings via Group Policy, which is where I ran in to an issue. I’ll address this a bit later on in the this post.

First off you need to enable the scheduled tasks, that’ll update the policy templates on the client PC. You do this by opening up the task scheduler, via the Control Panel.System and Security.Scheduled tasks (this for for Windows 7). You’ll then expand the Task Scheduler Library and expand down through Microsoft.Windows and then select Active Directory Rights Management Services Client. see the screen shot below.

AD_RMS_Task_Scheduler - Annotated

As you can see from the screen shot the Status for the task is Disabled. You’ll need to enable both tasks by selecting each one in turn and clicking on Enable. In my case I had to do this using an administrator account because my normal user account doesn’t have local privileges and a privileged account is required to make these changes. You can also make these changes via Microsoft’s Systems management Server or using Group Policy using the following command; schtasks /Change /TN “\Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Automated)” /ENABLE (from Microsoft TechNet posting here). I haven’t tried this yet. This same posting on TechNet tells you how to enter the registry key to point to the location on the local machine where the templates will go. It’s when I tried to use a GPO to do this that I ran in to an issue.

I decided to try using a GPO to make the relevant registry settings. So I down loaded the Office 2010 Administrative templates and applied them. I then went in to Group Policy Manager and activated the template specific for AD RMS clients and entered in the path; %LocalAppData%\Microsoft\DRM\Templates

Specifiy_Permissons_Policy_Path

Specifiy_Permissons_Policy_Path_Dialog_box

I then logged off and back on on my client PC, to get the GPO applied. yes I know I could do it via GPUPDATE /Force but I also wanted to force the scheduled task to run. Turns out I had to do that manually or wait up to an hour for it to run.

Anyway, once I was logged back in image my surprise but that the policy propagation wasn’t working. After a bit of digging I found that the Office 2010 Administrative templates defined the key value for AdminTemplatePath as REG_SZ, where it needed to be REG_EXPAND_SZ. As there seemed to be no way to change the administrative template, I didn’t look or try that hard, I ended up using the Preference setting capability that’s now available within AD 2008. In the same GPO editor select User Configuration.Preferences.Registry and define a key, as shown in the screen shot below, by right clicking on Registry and selecting New.Registry Item

admintemplatepath_-_preferences

(Note! the key path is: Software\Policies\Microsoft\office\14.0\common\drm)

More posts to follow on Exchange and SharePoint and AD RMS and also what the client side sees and can do, specifically with Office 2010.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: