Professional Documents
Culture Documents
Creating and Deploying Active Directory Rights Management Services Templates Step-By-Step Guide
Creating and Deploying Active Directory Rights Management Services Templates Step-By-Step Guide
Abstract
This step-by-step guide provides instructions for setting up a test environment for creating and
deploying Active Directory Rights Management Services (AD RMS) rights policy templates on the
Windows Server® 2008 operating system.
This document supports a preliminary release of a software product that may be changed
substantially prior to final commercial release, and is the confidential and proprietary information
of Microsoft Corporation. It is disclosed pursuant to a non-disclosure agreement between the
recipient and Microsoft. This document is provided for informational purposes only and Microsoft
makes no warranties, either express or implied, in this document. Information in this document,
including URL and other Internet Web site references, is subject to change without notice. The
entire risk of the use or the results from the use of this document remains with the user. Unless
otherwise noted, the example companies, organizations, products, domain names, e-mail
addresses, logos, people, places, and events depicted herein are fictitious, and no association
with any real company, organization, product, domain name, e-mail address, logo, person, place,
or event is intended or should be inferred. Complying with all applicable copyright laws is the
responsibility of the user. Without limiting the rights under copyright, no part of this document may
be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by
any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose,
without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Active Directory, Microsoft, MS-DOS, Vista, Windows, Windows NT, and Windows Server are
either registered trademarks or trademarks of Microsoft Corporation in the United States and/or
other countries.
Contents..........................................................................................................................................3
Creating and Deploying Active Directory Rights Management Services Rights Policy Templates
Step-by-Step Guide.....................................................................................................................4
About this Guide..........................................................................................................................4
What This Guide Does Not Provide..........................................................................................4
Deploying AD RMS in a Test Environment...................................................................................5
4
Deploying AD RMS in a Test Environment
We recommend that you first use the steps provided in this guide in a test lab environment. Step-
by-step guides are not necessarily meant to be used to deploy Microsoft products without
accompanying documentation and should be used with discretion as a stand-alone document.
Before you start the steps in this guide, you will need to use the steps provided in Windows
Server Active Directory Rights Management Services Step-by-Step Guide
(http://go.microsoft.com/fwlink/?LinkId=72134), also in a lab environment. That guide prepares
the basic infrastructure for an AD RMS deployment, with an AD RMS cluster, AD RMS Logging
database, and domain controller. This step-by-step guide builds on the previous guide, so it is
important to complete it before starting this one. On completion of this step-by-step guide, you will
have a working AD RMS rights policy template. You can then test and verify AD RMS rights policy
template functionality through the simple task of restricting permissions on a Microsoft Office
Word 2007 document with the rights policy template created in this guide.
The test environment described in this guide includes three computers connected to a private
network and using the following operating systems, applications, and services:
ADRMS-DB Windows Server 2003 with SP1 Microsoft SQL Server™ 2005
Standard Edition
The computers form a private intranet and are connected through a common hub or Layer 2
switch. This configuration can be emulated in a virtual server environment if desired. This step-by-
step exercise uses private addresses throughout the test lab configuration. The private network
ID 10.0.0.0/24 is used for the intranet. The domain controller is named CPANDL-DC for the
domain named cpandl.com.
The following figure shows the configuration of the test environment:
5
Step 1: Creating a Shared Folder on the AD
RMS Cluster
To ease administration of the rights policy templates, you can store AD RMS rights policy
templates in a central location so that they can be copied to the AD RMS clients. Some
distribution methods include using Systems Management Server, Group Policy, or manually
copying the templates to the AD RMS client. In this guide, the rights policy templates are copied
manually.
Note
The AD RMS service account must have Write access to the rights policy template
shared folder in order for the rights policy template export function to work correctly.
To create a shared folder for the AD RMS rights policy templates and set appropriate permissions
for the AD RMS service account, do the following:
6
9. Click OK twice.
10. Click the Security tab, and then click Edit.
11. Click Add, in the Enter the object names to select box type
CPANDL\ADRMSSRVC, and then click OK.
12. Click ADRMSSRVC (ADRMSSRVC@cpandl.com), and then, in the Permissions
forADRMSSRVC box, select the Modify check box in the Allow column, and then click
OK.
13. Click Close.
7
9. Type CPANDL.COM CC in the Name box.
10. Type CPANDL.COM Company Confidential in the Description box, and then click
Add.
11. Click Next.
12. Click Add, type employees@cpandl.com in The e-mail address of a user or
group box, and then click OK.
13. Select the View check box to grant the EMPLOYEES@CPANDL.COM group Read
access to any document created by using this AD RMS rights policy template.
14. Click Finish.
Note
If DRM was not already created as a part of the key, you must create it manually.
4. Select DRM, click Edit, point to New, click Expandable String Value, and then type
AdminTemplatePath.
5. Double-click the AdminTemplatePath registry value and type %UserProfile
%\AppData\Microsoft\DRM\Templates in the Value data box where %UserProfile%
equals C:\Users\<user name>, and then click OK.
6. Close Registry Editor.
8
7. Verify that the path C:\Users\nhollida\AppData\Microsoft\DRM\Templates\ is valid. If it
is not, create the appropriate folders.
8. Click Start, type \\ADRMS-SRV\ADRMSTemplates in the Start Search box, and
then press ENTER.
9. Copy the exported AD RMS rights policy templates from \\ADRMS-
SRV\ADRMSTemplates to C:\Users\nhollida\AppData\Microsoft\DRM\Templates.
Note
Copying the AD RMS rights policy templates to the client computer is not required if the
rights policy templates do not have to be available offline.
9
2. Click Start, point to All Programs, point to Microsoft Office, and then click
Microsoft Office Word 2007.
3. Click the Microsoft Office button, click Open, navigate to \\ADRMS-DB\public, and
then double-click ADRMS-TST.docx.
The following message appears: "Permission to this document is currently restricted.
Microsoft Office must connect to https://adrms-srv.cpandl.com/_wmcs/licensing to
verify your credentials and download your permission."
4. Click OK.
The following message appears: "Verifying your credentials for opening content with
restricted permissions…"
5. When the document opens, click the Microsoft Office button. Notice that the Print
option is not available.
6. Click View Permission in the message bar. You should see that AD RMS rights
policy template has been applied to this document.
7. Click OK to close the My Permissions dialog box, and then close Microsoft Word.
You have successfully deployed and demonstrated the rights templates policy feature of AD RMS,
using the simple scenario of applying a rights policy template to a Microsoft Word 2007
document. You can also use this deployment to explore some of the additional capabilities of
AD RMS through additional configuration and testing.
10