Friday 22 August 2014

Creating and Deploying Active Directory Rights Management Services Rights Policy Templates Step-by-Step Guide

Step 1: Creating a Shared Folder on the AD RMS Cluster

To ease administration of the rights policy templates, you can store AD RMS rights policy templates in a central location so that they can be copied to the AD RMS clients. Some distribution methods include using Systems Management Server, Group Policy, or manually copying the templates to the AD RMS client. In this guide, the rights policy templates are copied manually.

Note

The AD RMS service account must have Write access to the rights policy template shared folder in order for the rights policy template export function to work correctly.

To create a shared folder for the AD RMS rights policy templates and set appropriate permissions for the AD RMS service account, do the following:

To create an AD RMS rights policy templates shared folder

1. Log on to ADRMS-SRV as CPANDL\Administrator.

2. Click Start, click Computer, and then double-click Local Disk (C:).

3. Create a new folder named ADRMSTemplates. Click Organize, click New Folder, type the name ADRMSTemplates, and then press ENTER.

4. Right-click the ADRMSTemplates folders, and then click Properties.

5. Click the Sharing tab, and then click Advanced Sharing.

6. Select the Share this Folder check box, and then click Permissions.

7. Click Add, in the Enter the object names to select box type CPANDL\ADRMSSRVC, and then click OK.

8. In the Group or user names box, click ADRMSSRVC (ADRMSSRVC@cpandl.com), and then, in the Permissions for ADRMSSRVC box, select the Change check box in the Allow column.

9. Click OK twice.

10. Click the Security tab, and then click Edit.

11. Click Add, in the Enter the object names to select box type CPANDL\ADRMSSRVC, and then click OK.

12. Click ADRMSSRVC (ADRMSSRVC@cpandl.com), and then, in the Permissions forADRMSSRVC box, select the Modify check box in the Allow column, and then click OK.

13. Click Close.

Step 2: Creating an AD RMS Rights Policy Template

As mentioned earlier in this guide, AD RMS rights policy templates are created on the AD RMS cluster and then exported to a shared folder. If your users will be using the AD RMS-enabled application only when connected to the internal network, the templates can be accessed from the shared folder by the clients as needed. In this case, all AD RMS users should have Read access to this shared folder in order for them to use the rights policy template.

Alternatively, the templates can be copied from the shared folder to the client computers. This enables the templates to be used when users are not connected to the network, such as when traveling with a laptop or from another mobile device. Because the most common deployment is to copy the templates to the client computers, this is the approach explained in this guide.

To create a new AD RMS rights policy template

1. Open the Active Directory Rights Management Services Administration console. Click Start, point to Administrative Tools, and then click Active Directory Rights Management Services.

2. In the Active Directory Rights Management Services Administration console, click LocalHost.

3. In the Tasks box in the Results pane, click Manage rights policy templates.

4. To enable exporting of the AD RMS rights policy templates, click Properties in the Actions pane.

5. Select the Enable export check box, type \\adrms-srv\ADRMSTemplates in the Specify templates file location (UNC) box, and then click OK.

6. In the Actions pane, click Create Distributed Rights Policy Template to start Create Distributed Rights Policy template wizard.

7. Click Add.

8. In the Language list, choose the appropriate language for the rights policy template.

9. Type CPANDL.COM CC in the Name box.

10. Type CPANDL.COM Company Confidential in the Description box, and then click Add.

11. Click Next.

12. Click Add, type employees@cpandl.com in The e-mail address of a user or group box, and then click OK.

13. Select the View check box to grant the EMPLOYEES@CPANDL.COM group Read access to any document created by using this AD RMS rights policy template.

14. Click Finish.

Step 3: Configuring the AD RMS client

The AD RMS client is included in the default installation of Windows Vista. Previous versions of the client are available for download for other Windows operating systems.

This guide assumes that an AD RMS cluster is already configured in a test environment. Additionally, extra configuration is required on the AD RMS client workstation so that the rights policy templates are accessible. To make the AD RMS rights policy templates accessible, you must copy the AD RMS rights policy templates to the client computer and create a registry entry that points to the location of the rights policy templates.

In order for the AD RMS client computer to locate the templates, you must add a registry entry and copy the AD RMS rights policy templates locally. To do this, you must complete the following steps before rights-protecting a document:

To make AD RMS templates available to users on ADRMS-CLNT

1. Log on to ADRMS-CLNT as Nicole Holliday (nhollida@cpandl.com).

2. Click Start, type regedit.exe in the Start Search box, and then click the regedit.exe icon under Programs.

3. Expand the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\DRM

Note

If DRM was not already created as a part of the key, you must create it manually.

4. Select DRM, click Edit, point to New, click Expandable String Value, and then type AdminTemplatePath.

5. Double-click the AdminTemplatePath registry value and type %UserProfile%\AppData\Microsoft\DRM\Templates in the Value data box where %UserProfile% equals C:\Users\<user name>, and then click OK.

6. Close Registry Editor.

7. Verify that the path C:\Users\nhollida\AppData\Microsoft\DRM\Templates\ is valid. If it is not, create the appropriate folders.

8. Click Start, type \\ADRMS-SRV\ADRMSTemplates in the Start Search box, and then press ENTER.

9. Copy the exported AD RMS rights policy templates from \\ADRMS-SRV\ADRMSTemplates to C:\Users\nhollida\AppData\Microsoft\DRM\Templates.

Note

Copying the AD RMS rights policy templates to the client computer is not required if the rights policy templates do not have to be available offline.

Step 4: Verifying AD RMS Functionality using ADRMS-CLNT

To verify the functionality of the AD RMS deployment, you log on as Nicole Holliday and then restrict permissions on a Microsoft Word 2007 document by using the AD RMS rights policy template created earlier in this guide. This policy gives CP&L employees the ability to read the document but not to change, print, or copy. All other people have no access at all to the document. You then log on as Stuart Railson and verify that Stuart Railson, a member of the Employees group at CP&L, cannot print the document.

To restrict permissions on a Microsoft Word 2007 document

1. Log on to ADRMS-CLNT as Nicole Holliday (nhollida@cpandl.com).

2. Click Start, click All Programs, click Microsoft Office, and then click Microsoft Office Word 2007.

3. Type CP&L Employees cannot print this document on the blank document page, click the Microsoft Office button, point to Finish, point to Restrict Permission, click Restrict Permission as, select nhollida@cpandl.com in the Select User dialog box, and then click OK.

4. In the Permission dialog box, select the Restrict permission to this document check box, click Read, type the name of the user or group to be restricted. In this case, type employees@cpandl.com, and then click OK twice.

5. Click the Microsoft Office button, click Save As, and then save the file as \\ADRMS-DB\public\ADRMS-TST.docx.

6. Log off as Nicole Holliday.

Next, log on as Stuart Railson and open the document, ADRMS-TST.docx.

To view a protected document

1. Log on as Stuart Railson (srailson@cpandl.com).

2. Click Start, point to All Programs, point to Microsoft Office, and then click Microsoft Office Word 2007.

3. Click the Microsoft Office button, click Open, navigate to \\ADRMS-DB\public, and then double-click ADRMS-TST.docx.

The following message appears: "Permission to this document is currently restricted. Microsoft Office must connect to https://adrms-srv.cpandl.com/_wmcs/licensing to verify your credentials and download your permission."

4. Click OK.

The following message appears: "Verifying your credentials for opening content with restricted permissions…"

5. When the document opens, click the Microsoft Office button. Notice that the Print option is not available.

6. Click View Permission in the message bar. You should see that AD RMS rights policy template has been applied to this document.

7. Click OK to close the My Permissions dialog box, and then close Microsoft Word.

You have successfully deployed and demonstrated the rights templates policy feature of AD RMS, using the simple scenario of applying a rights policy template to a Microsoft Word 2007 document. You can also use this deployment to explore some of the additional capabilities of AD RMS through additional configuration and testing.

What server roles and features are available

What server roles and features are available?

Windows Server 2008 includes the following roles and features.

Server roles

A server role describes the primary function of the server. Administrators can choose to dedicate an entire computer to one server role, or install multiple server roles on a single computer. Each role can include one or more role services, best described as sub-elements of a role. The following server roles are available in Windows Server 2008, and can be installed and managed by using Server Manager.

Role name	Description
Active Directory Certificate Services	Active Directory® Certificate Services (AD CS) provides customizable services for creating and managing public key certificates used in software security systems employing public key technologies. Organizations can use Active Directory Certificate Services to enhance security by binding the identity of a person, device, or service to a corresponding private key. Active Directory Certificate Services also includes features that allow you to manage certificate enrollment and revocation in a variety of scalable environments. Applications supported by Active Directory Certificate Services include Secure/Multipurpose Internet Mail Extensions (S/MIME), secure wireless networks, virtual private networks (VPN), Internet Protocol security (IPsec), Encrypting File System (EFS), smart card logon, Secure Socket Layer/Transport Layer Security (SSL/TLS), and digital signatures.
Active Directory Domain Services	Active Directory Domain Services (AD DS) stores information about users, computers, and other devices on the network. AD DS helps administrators securely manage this information and facilitates resource sharing and collaboration between users. AD DS is also required to be installed on the network in order to install directory-enabled applications such as Microsoft Exchange Server and for applying other Windows Server technologies such as Group Policy.
Active Directory Federation Services	Active Directory Federation Services (AD FS) provides Web single-sign-on (SSO) technologies to authenticate a user to multiple Web applications using a single user account. AD FS accomplishes this by securely federating, or sharing, user identities and access rights, in the form of digital claims, between partner organizations.
Active Directory Lightweight Directory Services	Organizations that have applications which require a directory for storing application data can use Active Directory Lightweight Directory Services (AD LDS) as the data store. AD LDS runs as a non-operating-system service, and, as such, it does not require deployment on a domain controller. Running as a non-operating-system service allows multiple instances of AD LDS to run concurrently on a single server, and each instance can be configured independently for servicing multiple applications.
Active Directory Rights Management Services (AD RMS)	AD RMS is information protection technology that works with AD RMS-enabled applications to help safeguard digital information from unauthorized use. Content owners can define exactly how a recipient can use the information, such as who can open, modify, print, forward, or take other actions with the information. Organizations can create custom usage rights templates such as "Confidential—Read Only" that can be applied directly to information such as financial reports, product specifications, customer data, and e-mail messages.
Application Server	Application Server provides a complete solution for hosting and managing high-performance distributed business applications. Integrated services, such as the .NET Framework, Web Server Support, Message Queuing, COM+, Windows Communication Foundation, and Failover Clustering support boost productivity throughout the application life cycle, from design and development through deployment and operations.
Dynamic Host Configuration Protocol (DHCP) Server	The Dynamic Host Configuration Protocol allows servers to assign, or lease, IP addresses to computers and other devices that are enabled as DHCP clients. Deploying DHCP servers on the network automatically provides computers and other TCP/IP-based network devices with valid IP addresses and the additional configuration parameters these devices need, called DHCP options, that allow them to connect to other network resources, such as DNS servers, WINS servers, and routers.
DNS Server	Domain Name System (DNS) provides a standard method for associating names with numeric Internet addresses. This makes it possible for users to refer to network computers by using easy-to-remember names instead of a long series of numbers. Windows DNS services can be integrated with Dynamic Host Configuration Protocol (DHCP) services on Windows, eliminating the need to add DNS records as computers are added to the network.
Fax Server	Fax Server sends and receives faxes, and allows you to manage fax resources such as jobs, settings, reports, and fax devices on this computer or on the network.
File Services	File Services provides technologies for storage management, file replication, distributed namespace management, fast file searching, and streamlined client access to files.
Hyper-V™	Hyper-V provides the services that you can use to create and manage virtual machines and their resources. Each virtual machine is a virtualized computer system that operates in an isolated execution environment. This allows you to run multiple operating systems simultaneously.
Network Policy and Access Services	Network Policy and Access Services delivers a variety of methods to provide users with local and remote network connectivity, to connect network segments, and to allow network administrators to centrally manage network access and client health policies. With Network Access Services, you can deploy VPN servers, dial-up servers, routers, and 802.11 protected wireless access. You can also deploy RADIUS servers and proxies, and use Connection Manager Administration Kit to create remote access profiles that allow client computers to connect to your network.
Print Services	Print Services enables the management of print servers and printers. A print server reduces administrative and management workload by centralizing printer management tasks.
Terminal Services	Terminal Services provides technologies that enable users to access Windows-based programs that are installed on a terminal server, or to access the Windows desktop itself from almost any computing device. Users can connect to a terminal server to run programs and to use network resources on that server.
Universal Description, Discovery, and Integration Services	Universal Description, Discovery, and Integration (UDDI) Services provides UDDI capabilities for sharing information about Web services within an organization's intranet, between business partners on an extranet, or on the Internet. UDDI Services can help improve the productivity of developers and IT professionals with more reliable and manageable applications. With UDDI Services you can prevent duplication of effort by promoting reuse of existing development work.
Web Server (IIS)	Web Server (IIS) enables sharing of information on the Internet, an intranet, or an extranet. It is a unified Web platform that integrates IIS 7.0, ASP.NET, and Windows Communication Foundation. IIS 7.0 also features enhanced security, simplified diagnostics, and delegated administration.
Windows Deployment Services	You can use Windows Deployment Services to install and configure Windows operating systems remotely on computers with Pre-boot Execution Environment (PXE) boot ROMs. Administration overhead is decreased through the implementation of the WdsMgmt Microsoft Management Console (MMC) snap-in, which manages all aspects of Windows Deployment Services. Windows Deployment Services also provides end users an experience consistent with Windows Setup.

The following figure shows the File Services role home page in Server Manager.

Features

Features, generally speaking, do not describe the primary function of a server. Features provide auxiliary or supporting functions to servers. Typically, administrators add features not as the primary function of a server, but to augment the functionality of installed roles.

For example, Failover Clustering is a feature which administrators can install after installing certain server roles, such as File Services, to add redundancy to File Services and shorten possible disaster recovery time.

The following features are available in Windows Server 2008, and can be installed using commands in Server Manager.

Feature	Description
Microsoft .NET Framework 3.0 Features	Microsoft .NET Framework 3.0 combines the power of the .NET Framework 2.0 APIs with new technologies for building applications that offer appealing user interfaces, protect your customers’ personal identity information, enable seamless and secure communication, and provide the ability to model a range of business processes.
BitLocker Drive Encryption	BitLocker Drive Encryption helps to protect data on lost, stolen, or inappropriately decommissioned computers by encrypting the entire volume and checking the integrity of early boot components. Data is decrypted only if those components are successfully verified and the encrypted drive is located in the original computer. Integrity checking requires a compatible trusted platform module (TPM).
BITS Server Extensions	Background Intelligent Transfer Service (BITS) Server Extensions allow a server to receive files uploaded by clients using BITS. BITS allows client computers to transfer files in the foreground or background asynchronously, preserve the responsiveness of other network applications, and resume file transfers after network failures and computer restarts.
Connection Manager Administration Kit	Connection Manager Administration Kit (CMAK) generates Connection Manager profiles.
Desktop Experience	Desktop Experience includes features of Windows Vista®, such as Windows Media Player, desktop themes, and photo management. Desktop Experience does not enable any of the Windows Vista features by default; you must manually enable them.
Failover Clustering	Failover Clustering allows multiple servers to work together to provide high availability of services and applications. Failover Clustering is often used for file and print services, database, and e-mail applications.
Group Policy Management	Group Policy Management makes it easier to understand, deploy, manage, and troubleshoot Group Policy implementations. The standard tool is Group Policy Management Console (GPMC), a scriptable Microsoft Management Console (MMC) snap-in that provides a single administrative tool for managing Group Policy across the enterprise.
Internet Printing Client	Internet Printing Client enables clients to use Internet Printing Protocol (IPP) to connect and print to printers on the network or Internet.
Internet Storage Name Server	Internet Storage Name Server (iSNS) provides discovery services for Internet Small Computer System Interface (iSCSI) storage area networks. iSNS processes registration requests, deregistration requests, and queries from iSNS clients.
LPR Port Monitor	Line Printer Remote (LPR) Port Monitor enables the computer to print to printers that are shared using any Line Printer Daemon (LPD) service. (LPD service is commonly used by UNIX-based computers and printer-sharing devices.)
Message Queuing	Message Queuing provides guaranteed message delivery, efficient routing, security, and priority-based messaging between applications. Message Queuing also accommodates message delivery between applications that run on different operating systems, use dissimilar network infrastructures, are temporarily offline, or that are running at different times.
Multipath I/O	Microsoft Multipath I/O (MPIO), along with the Microsoft Device Specific Module (DSM) or a third-party DSM, provides support for using multiple data paths to a storage device on Windows.
Network Load Balancing	Network Load Balancing (NLB) distributes traffic across several servers, using the TCP/IP networking protocol. NLB is particularly useful for ensuring that stateless applications, such as a Web server running Internet Information Services (IIS), are scalable by adding additional servers as the load increases.
Peer Name Resolution Protocol	Peer Name Resolution Protocol (PNRP) allows applications to register on and resolve names from your computer, so other computers can communicate with these applications.
Quality Windows Audio Video Experience	Quality Windows Audio Video Experience (qWave) is a networking platform for audio and video (AV) streaming applications on Internet protocol home networks. qWave enhances AV streaming performance and reliability by ensuring network quality-of-service for AV applications. It provides admission control, run time monitoring and enforcement, application feedback, and traffic prioritization. On Windows Server platforms, qWave provides only rate-of-flow and prioritization services.
Remote Assistance	Remote Assistance enables you (or a support person) to offer assistance to users with computer issues or questions. Remote Assistance allows you to view and share control of the user’s desktop in order to troubleshoot and fix the issues. Users can also ask for help from friends or co-workers.
Remote Differential Compression	The Remote Differential Compression (RDC) feature is a set of application programming interfaces (APIs) that applications can use to determine if a set of files have changed, and if so, to detect which portions of the files contain the changes.
Remote Server Administration Tools	Remote Server Administration Tools enables remote management of Windows Server 2003 and Windows Server 2008 from a computer running Windows Server 2008, by allowing you to run some of the management tools for roles, role services, and features on a remote computer.
Removable Storage Manager	Removable Storage Manager (RSM) manages and catalogs removable media and operates automated removable media devices.
RPC over HTTP Proxy	RPC over HTTP Proxy is a proxy that is used by objects that receive remote procedure calls (RPC) over Hypertext Transfer Protocol (HTTP). This proxy allows clients to discover these objects even if the objects are moved between servers or if they exist in discrete areas of the network, usually for security reasons.
Services for NFS	Services for Network File System (NFS) is a protocol that acts as a distributed file system, allowing a computer to access files over a network as easily as if they were on its local disks. This feature is available for installation on Windows Server 2008 for Itanium-Based Systems; in other versions of Windows Server 2008, Services for NFS is available as a role service of the File Services role.
Simple TCP/IP Services	Simple TCP/IP Services supports the following TCP/IP services: Character Generator, Daytime, Discard, Echo, and Quote of the Day. Simple TCP/IP Services is provided for backward compatibility and should not be installed unless it is required.
SMTP Server	SMTP Server supports the transfer of e-mail messages between e-mail systems.
SNMP Services	Simple Network Management Protocol (SNMP) is the Internet standard protocol for exchanging management information between management console applications—such as HP Openview, Novell NMS, IBM NetView, or Sun Net Manager—and managed entities. Managed entities can include hosts, routers, bridges, and hubs.
Storage Manager for Storage Area Networks	Storage Manager for Storage Area Networks (SANs) helps you create and manage logical unit numbers (LUNs) on Fibre Channel and iSCSI disk drive subsystems that support Virtual Disk Service (VDS) in your SAN.
Subsystem for UNIX-based Applications	Subsystem for UNIX-based Applications (SUA), along with a package of support utilities available for download from the Microsoft Web site, enables you to run UNIX-based programs, and compile and run custom UNIX-based applications in the Windows environment.
Telnet Client	Telnet Client uses the Telnet protocol to connect to a remote telnet server and run applications on that server.
Telnet Server	Telnet Server allows remote users, including those running UNIX-based operating systems, to perform command-line administration tasks and run programs by using a telnet client.
Trivial File Transfer Protocol Client	Trivial File Transfer Protocol (TFTP) Client is used to read files from, or write files to, a remote TFTP server. TFTP is primarily used by embedded devices or systems that retrieve firmware, configuration information, or a system image during the boot process from a TFTP server.
Windows Internal Database	Windows Internal Database is a relational data store that can be used only by Windows roles and features, such as UDDI Services, AD RMS, Windows Server Update Services, and Windows System Resource Manager.
Windows Internet Name Service (WINS)	Windows Internet Name Service (WINS) provides a distributed database for registering and querying dynamic mappings of NetBIOS names for computers and groups used on your network. WINS maps NetBIOS names to IP addresses and solves the problems arising from NetBIOS name resolution in routed environments.
Windows PowerShell™	Windows PowerShell is a command-line shell and scripting language that helps IT professionals achieve greater productivity. It provides a new administrator-focused scripting language and more than 130 standard command-line tools to enable easier system administration and accelerated automation.
Windows Process Activation Service	Windows Process Activation Service (WAS) generalizes the IIS process model, removing the dependency on HTTP. All the features of IIS that were previously available only to HTTP applications are now available to applications hosting Windows Communication Foundation (WCF) services, using non-HTTP protocols. IIS 7.0 also uses WAS for message-based activation over HTTP.
Windows Server Backup Features	Windows Server Backup Features allow you to back up and recover your operating system, applications, and data. You can schedule backups to run once a day or more often, and can protect the entire server or specific volumes.
Windows System Resource Manager	Windows System Resource Manager (WSRM) is a Windows Server operating system administrative tool that can control how CPU and memory resources are allocated. Managing resource allocation improves system performance and reduces the risk that applications, services, or processes will interfere with each other to reduce server efficiency and system response.
Wireless LAN Service	Wireless LAN (WLAN) Service configures and starts the WLAN AutoConfig service, regardless of whether the computer has any wireless adapters. WLAN AutoConfig enumerates wireless adapters, and manages both wireless connections and the wireless profiles that contain the settings required to configure a wireless client to connect to a wireless network.