Steven JW Kennedy

My Blog

AD RMS: Microsoft Active Directory Rights Management Service

Posted by Steven Kennedy on February 22, 2011

Ever since Microsoft came out with their Rights Management Service, now called AD RMS, I’ve been interested in using it. However, in the early days the setup and use of it was not that user friendly. Microsoft have, to a large part, taken care of that. Not only is it easier to setup and use it can be integrated with Microsoft Exchange and SharePoint. I’ll be posting separate posts about my adventures in getting AD RMS working with both Exchange 2010 and SharePoint 2010.

So, last week I installed a new virtual image with AD RMS on it. The installation of the server side of the software was pretty straight forward, I just follow the installation instructions to add the AD RMS role.

For my setup, being as it’s at home, I just used self signed certificates, which cause a number of pop-ups as you use AD RMS. More on that in later posts on using AD RMS. Suffice to say, if you have a valid certificate authority it’ll make deployment and use of AD RMS easier and less intrusive to users.

One issue I did run into is the distribution of policy templates. You not only need to define a location for the templates, that all users can get to read, but you also need to setup the clients to be able to read these templates, in order that they can make use of them. For Windows Vista and Windows 7 this is somewhat easier as the AD RMS Client is part of the Operating System. For Windows XP you have to install an AD RMS client explicitly. In my case I’m currently using Windows 7 Enterprise 32bit.

So my home setup consists of a Windows Server 2008 R2 server with the Active Directory Rights Management Service role enabled. Windows 7 client with Office 2010.

Once I’d installed RMS, and made sure it and the server had all updates applied I went and created a folder to put the RMS Policy Templates that I’d be creating. I took the easy way out and used the ‘Public’ folder on the RMS server; \\RMS\Users\Public, where RMS is the host name for the server hosting the AD RMS role. I then used the Active Directory Rights Management Services console to point AD RMS to this folder. In the console select Rights Policy Templates, indicated by the 1 on the screen shot. Then click on the link Change distributed rights policy templates file location, indicated by the 2. In my case as I’d already done this the location is shown as \\RMS\Users\Public, indicated by the 3.

Policy_Template_files_location - annotated

Once you click on Change distributed rights policy templates file location you’ll be presented with a dialog box, like the one below, to enter the location you wish to use. In the screen shot below it’s showing the location I’d already set. If you haven’t previously set a location then the Current templates file location: will be blank


Once I had this setup I could go ahead and create Policy Templates. Again, this is pretty straight forward but it’s worth noting here that to apply AD RMS to something, like an email, Word document etc. you have say who it is that’s getting the rights. This is done via email addresses. So you either have to provide explicit email addresses, of your users, or use distribution lists. You can also use Windows Live ID’s if you enabled them during installation, or even use Active Directory Federation Services if you enabled that functionality during installation. In my case I only enabled Windows Live ID. It’s seems fairly obvious that it’s best to use Distribution lists, that way you only need to update the DL’s membership without having to update the policy. Also, defining the policy with a DL means that you don’t have to re-distribute the policy every time you update the membership of the policy.

This leads to something else you should consider when setting up AD RMS. naming conventions. You should come up with something for the policy names and for any associated DL’s that the policies use. I’ll touch on this in a separate posting as this one is getting quite long as it is.

Once you have a policy template defined you can check the templates file location to see if it’s there. You can also have other users look at the location to make sure that they have read access t the location and the template files located there.

That’s the first part of making an AD RMS template available. The second piece is for the client to access it. This is where I ran in to an issue. I was able to use Word and Outlook to select a template but only the default, provided ones. The templates that I’d defined weren’t showing up. I’ll go in to that in my next post, AD RMS: Client side.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: