Steven JW Kennedy

My Blog

Archive for the ‘Operating Systems’ Category

Top level category for various computer operating systems

Aaargh!

Posted by Steven Kennedy on February 24, 2011


I’ve a Microsoft Rights Management Service server setup on my home network. I have it working with Office 2010 and Exchange 2010. Then I found a reference on-line to the fact that RMS could be made to work with Office for the Mac 2011. So I followed the instructions and I can open and read RMS protected Office documents but the icon to set permissions is grayed out. That’s when I found the following reference in the Word:Mac Product Guide;

Creating IRM-protected documents with Office for Mac 2011 requires the volume license edition of Office 2011, as well as a Rights Management server running Windows Server 2008 R2. SP1 Opening IRM-protected content to which you have been given access can be done from any edition of Office for Mac 2011 or from Office 2003 for Windows or later.

The version I have is the ordinary retail version of Office for Mac 2011. So I can open and read protected documents but I cannot create them. I have a TechNet account and I checked the version available there and it’s; Office for Mac 2011 Home and Business, the same version as I already have. Guess I’m not going to be testing RMS with the Mac anytime soon.

Crying face

Posted in AD RMS, Apple Macintosh | Tagged: | Leave a Comment »

AD RMS: Client side

Posted by Steven Kennedy on February 22, 2011


Both Windows Vista and Windows 7 come with the AD RMS client built-in. For Windows XP you’ll need to download a client, from Microsoft, and install it. In my case I’m using Windows 7 Enterprise 32bit.

Even with the client built-in there’s some configuration that has to take place before you can start using AD RMS templates.

In order to update the templates to a users local PC a scheduled job runs that copies the templates from the previously defined location, in my case \\RMS\Users\Public, to the users PC. Where these templates are located is defined in the registry. This is where I started to have some issue. For me at home it’s not a big deal. I can just use Regedit to setup the key and value. In a business environment that’s not so practical. So you’ll have to resort to defining the registry settings via Group Policy, which is where I ran in to an issue. I’ll address this a bit later on in the this post.

First off you need to enable the scheduled tasks, that’ll update the policy templates on the client PC. You do this by opening up the task scheduler, via the Control Panel.System and Security.Scheduled tasks (this for for Windows 7). You’ll then expand the Task Scheduler Library and expand down through Microsoft.Windows and then select Active Directory Rights Management Services Client. see the screen shot below.

AD_RMS_Task_Scheduler - Annotated

As you can see from the screen shot the Status for the task is Disabled. You’ll need to enable both tasks by selecting each one in turn and clicking on Enable. In my case I had to do this using an administrator account because my normal user account doesn’t have local privileges and a privileged account is required to make these changes. You can also make these changes via Microsoft’s Systems management Server or using Group Policy using the following command; schtasks /Change /TN “\Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Automated)” /ENABLE (from Microsoft TechNet posting here). I haven’t tried this yet. This same posting on TechNet tells you how to enter the registry key to point to the location on the local machine where the templates will go. It’s when I tried to use a GPO to do this that I ran in to an issue.

I decided to try using a GPO to make the relevant registry settings. So I down loaded the Office 2010 Administrative templates and applied them. I then went in to Group Policy Manager and activated the template specific for AD RMS clients and entered in the path; %LocalAppData%\Microsoft\DRM\Templates

Specifiy_Permissons_Policy_Path

Specifiy_Permissons_Policy_Path_Dialog_box

I then logged off and back on on my client PC, to get the GPO applied. yes I know I could do it via GPUPDATE /Force but I also wanted to force the scheduled task to run. Turns out I had to do that manually or wait up to an hour for it to run.

Anyway, once I was logged back in image my surprise but that the policy propagation wasn’t working. After a bit of digging I found that the Office 2010 Administrative templates defined the key value for AdminTemplatePath as REG_SZ, where it needed to be REG_EXPAND_SZ. As there seemed to be no way to change the administrative template, I didn’t look or try that hard, I ended up using the Preference setting capability that’s now available within AD 2008. In the same GPO editor select User Configuration.Preferences.Registry and define a key, as shown in the screen shot below, by right clicking on Registry and selecting New.Registry Item

admintemplatepath_-_preferences

(Note! the key path is: Software\Policies\Microsoft\office\14.0\common\drm)

More posts to follow on Exchange and SharePoint and AD RMS and also what the client side sees and can do, specifically with Office 2010.

Posted in AD RMS | Tagged: | Leave a Comment »

AD RMS: Microsoft Active Directory Rights Management Service

Posted by Steven Kennedy on February 22, 2011


Ever since Microsoft came out with their Rights Management Service, now called AD RMS, I’ve been interested in using it. However, in the early days the setup and use of it was not that user friendly. Microsoft have, to a large part, taken care of that. Not only is it easier to setup and use it can be integrated with Microsoft Exchange and SharePoint. I’ll be posting separate posts about my adventures in getting AD RMS working with both Exchange 2010 and SharePoint 2010.

So, last week I installed a new virtual image with AD RMS on it. The installation of the server side of the software was pretty straight forward, I just follow the installation instructions to add the AD RMS role.

For my setup, being as it’s at home, I just used self signed certificates, which cause a number of pop-ups as you use AD RMS. More on that in later posts on using AD RMS. Suffice to say, if you have a valid certificate authority it’ll make deployment and use of AD RMS easier and less intrusive to users.

One issue I did run into is the distribution of policy templates. You not only need to define a location for the templates, that all users can get to read, but you also need to setup the clients to be able to read these templates, in order that they can make use of them. For Windows Vista and Windows 7 this is somewhat easier as the AD RMS Client is part of the Operating System. For Windows XP you have to install an AD RMS client explicitly. In my case I’m currently using Windows 7 Enterprise 32bit.

So my home setup consists of a Windows Server 2008 R2 server with the Active Directory Rights Management Service role enabled. Windows 7 client with Office 2010.

Once I’d installed RMS, and made sure it and the server had all updates applied I went and created a folder to put the RMS Policy Templates that I’d be creating. I took the easy way out and used the ‘Public’ folder on the RMS server; \\RMS\Users\Public, where RMS is the host name for the server hosting the AD RMS role. I then used the Active Directory Rights Management Services console to point AD RMS to this folder. In the console select Rights Policy Templates, indicated by the 1 on the screen shot. Then click on the link Change distributed rights policy templates file location, indicated by the 2. In my case as I’d already done this the location is shown as \\RMS\Users\Public, indicated by the 3.

Policy_Template_files_location - annotated

Once you click on Change distributed rights policy templates file location you’ll be presented with a dialog box, like the one below, to enter the location you wish to use. In the screen shot below it’s showing the location I’d already set. If you haven’t previously set a location then the Current templates file location: will be blank

Rights_Policy_Templates_-_Templates_File_Location

Once I had this setup I could go ahead and create Policy Templates. Again, this is pretty straight forward but it’s worth noting here that to apply AD RMS to something, like an email, Word document etc. you have say who it is that’s getting the rights. This is done via email addresses. So you either have to provide explicit email addresses, of your users, or use distribution lists. You can also use Windows Live ID’s if you enabled them during installation, or even use Active Directory Federation Services if you enabled that functionality during installation. In my case I only enabled Windows Live ID. It’s seems fairly obvious that it’s best to use Distribution lists, that way you only need to update the DL’s membership without having to update the policy. Also, defining the policy with a DL means that you don’t have to re-distribute the policy every time you update the membership of the policy.

This leads to something else you should consider when setting up AD RMS. naming conventions. You should come up with something for the policy names and for any associated DL’s that the policies use. I’ll touch on this in a separate posting as this one is getting quite long as it is.

Once you have a policy template defined you can check the templates file location to see if it’s there. You can also have other users look at the location to make sure that they have read access t the location and the template files located there.

That’s the first part of making an AD RMS template available. The second piece is for the client to access it. This is where I ran in to an issue. I was able to use Word and Outlook to select a template but only the default, provided ones. The templates that I’d defined weren’t showing up. I’ll go in to that in my next post, AD RMS: Client side.

Posted in AD RMS, General, Server 2008 | Tagged: | Leave a Comment »

5 Days, 2 OSes and 3 different browsers

Posted by Steven Kennedy on February 9, 2011


So it’s been 5 days that the Comments capability on my iWeb/MobileMe blog has been working. I’ve now tried it out using the following computer OSes and browsers;

  • Windows 7 and IE 8, Firefox 3.6.11
  • Windows 7 and IE 9 Beta
  • OS X 10.6.6 and Safari 5.0.3, Firefox 3.6.13

All of these are working.

I also did a search to see if anyone, Apple?, had posted anything about any changes to either iWeb or MobileMe that would indicate that they’d done something to fix the problem but I didn’t find anything. Guess I get to keep an eye on it for a while.

If the Comments continue to work through the rest of this week then I’ll revert my iWeb/MobileMe sites’ Welcome page, rather than having it do a re-direct to this blog.

Posted in iWeb, Mac OS X | Tagged: , , | Leave a Comment »

4 Days and counting

Posted by Steven Kennedy on February 8, 2011


Good and bad Comment dialog boxes

First posted on my MobileMe blog here

It’s been something like four days now with the iWeb Comments capability working. It was failing after something like 8-24 hours before. You can read my trials and tribulations with the MobileMe/iWeb Comments capability on previous posts; Comments not working and Problem with iWeb/MobileMe Comments.

last week I contacted MobileMe support to talk with them about the problem, using chat. I explained what it was that I was seeing and what I’d found out, as I’ve detailed in the post Problem with iWeb/MobileMe Comments. I was informed that MobileMe is only a hosting facility and that the functionality, or lack there of, was an iWeb issue. So I tried to get iWeb support only to find out that iWeb support is tied to your hardwares support. If you don’t have support for your Mac you don’t get to talk with a tech support rep, sort of.

There was an option to dispute this, which I checked and gave them a phone number that they could call be back on, which they did pretty promptly, 10-15 minutes as I recall. I talked with the rep on the phone and explained the issue and she explained that I’d have to pay to talk to a tech support rep, or I could use their Feedback mechanism, which is what I ended up doing. If you go to http://www.apple.com/feedback/iweb.html you can provide feedback to Apple about iWeb. In this case I reported a ‘bug’, the problem with the Comment dialog box not formatting and working properly. I included the information I’d cleaned about the differences in source code, detailed in the post Problem with iWeb/MobileMe Comments.

That was on or about Wednesday of last week, the 2nd February. Since then my Comment dialog box when using Safari, Firefox and IE has been working okay. Perhaps I’m getting lucky and only hitting those servers with the ‘good’ source code, or perhaps the iWeb team has found and fixed the problem? We can live in hope.

Posted in iWeb, Mac OS X | Tagged: , , | Leave a Comment »