Friday, 22 August 2014

Creating and Deploying Active Directory Rights Management Services Rights Policy Templates Step-by-Step Guide



To ease administration of the rights policy templates, you can store AD RMS rights policy templates in a central location so that they can be copied to the AD RMS clients. Some distribution methods include using Systems Management Server, Group Policy, or manually copying the templates to the AD RMS client. In this guide, the rights policy templates are copied manually.
Note
The AD RMS service account must have Write access to the rights policy template shared folder in order for the rights policy template export function to work correctly.
To create a shared folder for the AD RMS rights policy templates and set appropriate permissions for the AD RMS service account, do the following:
To create an AD RMS rights policy templates shared folder
1.   Log on to ADRMS-SRV as CPANDL\Administrator.
2.   Click Start, click Computer, and then double-click Local Disk (C:).
3.   Create a new folder named ADRMSTemplates. Click Organize, click New Folder, type the name ADRMSTemplates, and then press ENTER.
4.   Right-click the ADRMSTemplates folders, and then click Properties.
5.   Click the Sharing tab, and then click Advanced Sharing.
6.   Select the Share this Folder check box, and then click Permissions.
7.   Click Add, in the Enter the object names to select box type CPANDL\ADRMSSRVC, and then click OK.
8.   In the Group or user names box, click ADRMSSRVC (ADRMSSRVC@cpandl.com), and then, in the Permissions for ADRMSSRVC box, select the Change check box in the Allow column.
9.   Click OK twice.
10.  Click the Security tab, and then click Edit.
11.  Click Add, in the Enter the object names to select box type CPANDL\ADRMSSRVC, and then click OK.
12.  Click ADRMSSRVC (ADRMSSRVC@cpandl.com), and then, in the Permissions forADRMSSRVC box, select the Modify check box in the Allow column, and then click OK.
13.  Click Close.

As mentioned earlier in this guide, AD RMS rights policy templates are created on the AD RMS cluster and then exported to a shared folder. If your users will be using the AD RMS-enabled application only when connected to the internal network, the templates can be accessed from the shared folder by the clients as needed. In this case, all AD RMS users should have Read access to this shared folder in order for them to use the rights policy template.
Alternatively, the templates can be copied from the shared folder to the client computers. This enables the templates to be used when users are not connected to the network, such as when traveling with a laptop or from another mobile device. Because the most common deployment is to copy the templates to the client computers, this is the approach explained in this guide.
To create a new AD RMS rights policy template
1.   Open the Active Directory Rights Management Services Administration console. Click Start, point to Administrative Tools, and then click Active Directory Rights Management Services.
2.   In the Active Directory Rights Management Services Administration console, click LocalHost.
3.   In the Tasks box in the Results pane, click Manage rights policy templates.
4.   To enable exporting of the AD RMS rights policy templates, click Properties in the Actions pane.
5.   Select the Enable export check box, type \\adrms-srv\ADRMSTemplates in the Specify templates file location (UNC) box, and then click OK.
6.   In the Actions pane, click Create Distributed Rights Policy Template to start Create Distributed Rights Policy template wizard.
7.   Click Add.
8.   In the Language list, choose the appropriate language for the rights policy template.
9.   Type CPANDL.COM CC in the Name box.
10.  Type CPANDL.COM Company Confidential in the Description box, and then click Add.
11.  Click Next.
12.  Click Add, type employees@cpandl.com in The e-mail address of a user or group box, and then click OK.
13.  Select the View check box to grant the EMPLOYEES@CPANDL.COM group Read access to any document created by using this AD RMS rights policy template.
14.  Click Finish.

The AD RMS client is included in the default installation of Windows Vista. Previous versions of the client are available for download for other Windows operating systems.
This guide assumes that an AD RMS cluster is already configured in a test environment. Additionally, extra configuration is required on the AD RMS client workstation so that the rights policy templates are accessible. To make the AD RMS rights policy templates accessible, you must copy the AD RMS rights policy templates to the client computer and create a registry entry that points to the location of the rights policy templates.
In order for the AD RMS client computer to locate the templates, you must add a registry entry and copy the AD RMS rights policy templates locally. To do this, you must complete the following steps before rights-protecting a document:
To make AD RMS templates available to users on ADRMS-CLNT
1.   Log on to ADRMS-CLNT as Nicole Holliday (nhollida@cpandl.com).
2.   Click Start, type regedit.exe in the Start Search box, and then click the regedit.exe icon under Programs.
3.   Expand the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\DRM
Note
If DRM was not already created as a part of the key, you must create it manually.
4.   Select DRM, click Edit, point to New, click Expandable String Value, and then type AdminTemplatePath.
5.   Double-click the AdminTemplatePath registry value and type %UserProfile%\AppData\Microsoft\DRM\Templates in the Value data box where %UserProfile% equals C:\Users\<user name>, and then click OK.
6.   Close Registry Editor.
7.   Verify that the path C:\Users\nhollida\AppData\Microsoft\DRM\Templates\ is valid. If it is not, create the appropriate folders.
8.   Click Start, type \\ADRMS-SRV\ADRMSTemplates in the Start Search box, and then press ENTER.
9.   Copy the exported AD RMS rights policy templates from \\ADRMS-SRV\ADRMSTemplates to C:\Users\nhollida\AppData\Microsoft\DRM\Templates.
Note
Copying the AD RMS rights policy templates to the client computer is not required if the rights policy templates do not have to be available offline.
To verify the functionality of the AD RMS deployment, you log on as Nicole Holliday and then restrict permissions on a Microsoft Word 2007 document by using the AD RMS rights policy template created earlier in this guide. This policy gives CP&L employees the ability to read the document but not to change, print, or copy. All other people have no access at all to the document. You then log on as Stuart Railson and verify that Stuart Railson, a member of the Employees group at CP&L, cannot print the document.
To restrict permissions on a Microsoft Word 2007 document
1.   Log on to ADRMS-CLNT as Nicole Holliday (nhollida@cpandl.com).
2.   Click Start, click All Programs, click Microsoft Office, and then click Microsoft Office Word 2007.
3.   Type CP&L Employees cannot print this document on the blank document page, click the Microsoft Office button, point to Finish, point to Restrict Permission, click Restrict Permission as, select nhollida@cpandl.com in the Select User dialog box, and then click OK.
4.   In the Permission dialog box, select the Restrict permission to this document check box, click Read, type the name of the user or group to be restricted. In this case, type employees@cpandl.com, and then click OK twice.
5.   Click the Microsoft Office button, click Save As, and then save the file as \\ADRMS-DB\public\ADRMS-TST.docx.
6.   Log off as Nicole Holliday.
Next, log on as Stuart Railson and open the document, ADRMS-TST.docx.
To view a protected document
1.   Log on as Stuart Railson (srailson@cpandl.com).
2.   Click Start, point to All Programs, point to Microsoft Office, and then click Microsoft Office Word 2007.
3.   Click the Microsoft Office button, click Open, navigate to \\ADRMS-DB\public, and then double-click ADRMS-TST.docx.
The following message appears: "Permission to this document is currently restricted. Microsoft Office must connect to https://adrms-srv.cpandl.com/_wmcs/licensing to verify your credentials and download your permission."
4.   Click OK.
The following message appears: "Verifying your credentials for opening content with restricted permissions…"
5.   When the document opens, click the Microsoft Office button. Notice that the Print option is not available.
6.   Click View Permission in the message bar. You should see that AD RMS rights policy template has been applied to this document.
7.   Click OK to close the My Permissions dialog box, and then close Microsoft Word.
You have successfully deployed and demonstrated the rights templates policy feature of AD RMS, using the simple scenario of applying a rights policy template to a Microsoft Word 2007 document. You can also use this deployment to explore some of the additional capabilities of AD RMS through additional configuration and testing.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)