Jaa


Deploying RMS Client

This post would talk on deploying RMS Client, Activating the client and Rights protect the document :)

 

The RMS client can be deployed manually or via GPO or any software installation solution.

The manual installation of client is pretty simple and need not be documented. The following section describes automatic deployment of RMS Client (for XP Machines) using GPO.

Download the RMS client from the following link

https://www.microsoft.com/downloads/details.aspx?FamilyId=02DA5107-2919-414B-A5A3-3102C7447838&displaylang=en

 

Installing the RMS Client via GPO

This section would describe the steps involved in deploying RMS Client via GPO. The initial step would be to create GPO and checkin the installer.

Creating GPO

a. On AD server, log on as <Domain Name>\Administrator.

b. Click the Start menu, click Run, then type c:\adrms\install\rms client v1.0 sp2\windowsrightmanagementservicessp2-KB917275-client-enu-x86.exe /extract and click OK.

c. Under Choose Directory for Extracted Files, verify the path is c:\adrms\install\rms client v1.0 sp2\ and click OK.

d. In the Extraction Complete window, click OK.

e. Click the Start menu, click Run, then type gpmc.msc and press Enter.

f. Expand forest: xxxxx node.

g. Expand the Domains node.

h. Expand the xxxxx node and then click Group Policy Objects.

i. Right-click and select New.

j. Under New GPO, type XP – AD RMS Clients and click OK.

k. Select the Group Policy object called XP – AD RMS Clients, right-click the GPO, and then click Edit.

l. In the Group Policy Management Editor, click Computer Configuration node, expand Policies, and expand Software Settings.

m. Right-click Software Installation, select New, and then select Package.

n. In the File name box, type \\<FQDN of AD Serer>\ADRMS\install\RMS Client V1.0 SP2, and then click Open.

o. Select the file msdrmclient.msi and then click Open. Also perform the same steps for RMClientBackCompat.msi

p. In the Deploy Software dialog box, select the option Assigned and click OK.

q. Wait for several seconds, and then refresh the page.

r. Verify that the installation package appears in the right-hand panel.

s. Close the Group Policy Management Editor.

t. On the Group Policy Management left panel, right-click WMI Filters, and select New.

u. Under New WMI filter, in the Name box, type “OS XP”. In the Description box, type “Only target computers running Windows XP Professional”.

v. Click Add.

w. In the WMI Query window, in the Namespace box, verify the value root\CIM\v2, and under Query type the following line:

Select * from Win32_OperatingSystem where Caption = "Microsoft Windows XP Professional"

x. Click OK, and then click Save.

y. Expand Group Policy Objects and select XP – AD RMS Clients. In the right panel under WMI Filter, click the drop-down box and select OS XP.

z. On Group Policy Management Windows, click Yes.

aa. On the left panel, click xxxxx, xxx OU, Workstation OU, and then right-click XP and select Link on Exist GPO.

bb. On Select XP OU, select XP – AD RMS Clients, and click OK.

cc. Under xxxxx, right-click XP – AD RMS Clients link, and select Enforced.

dd. Close all windows.

ee. Log off.

 

Installing the client

The AD RMS client software is deployed using GPO.

a. Logon on as User.

The installation process begins at the time that the GPOs are applied to the computer in the start-up process.

b. Click Start, then Control Panel, double-click Add or Remove Programs, and verify that Windows Rights Management Client with Service Pack 2 appears in the Currently installed programs list .

c. If the AD RMS client doesn’t appear in the list, click Start, click Run and type “gpupdate /force”. At the message prompt click “Y” , then restart client machine.

d. Close all open windows.

 

This would ensure the clients are deployed in your organization automatically. But if you need to test out manually, you can just execute the RMS Client installer and it would get installed.

Now, next logical step after client deployment is to activate the RMS Client……

 

Activating the RMS Client.

a. After opening Word, open the Office menu, select Prepare, and then Restrict Access.

b. Check Restrict Permission to this Document and click OK. This should trigger the AD RMS client activation. After that, close Word without saving the document.

c. Log on to client machine as end user.

d. Click the Start menu, click Run, then type WinWord and press Enter.

Microsoft Word opens with a blank default page.

e. Click the Office button, then select Prepare, Restrict Permission, and then click Restricted Access.

Notice the message configuring your computer for Information Rights Management.

Notice the message verifying your logon information for opening content with restricted permission.

This process installs a machine certificate, a rights account certificate, and a client licensor certificate for the user profile.

f. After the activation messages are complete, select the Restrict permission to this document check box, and then click the All users button (the button with the icon depicting two people) to the right of the Read box

 

Note: This restricts access to all AD RMS-enabled users in your RMS domain.

g. Click Cancel and close word.

 

If you select OK, the document gets rights protected :)

In case you want to mass activate the client, the best way is to send across rights protected mail to all users…the moment the users open the mail, RMS Client would contact RMS Server and activate it. The activation is nothing but generating the Machine certificates and RACs

 

Verifying that the Certificates (Machine and RACs) are generated

The client licensor certificate named CLC-<username>@xxxxx, the machine certificate named CERT-Machine.drm, and the RAC named GIC-<user_name>@xxxxx are all visible in User’s profile.

a. Click Start, and point to Computer to start Windows Explorer.

b. Press the ALT key and click Tools menu, then click Folder Options.

c. On the View tab, enable Show hidden files and folders.

d. Click OK.

e. Browse to C:\Users\<user name>\App Data\Local\Microsoft\DRM.

f. Verify that the following files exist:

· CLC – <user_name>@xxxx.com

· CERT –Machine.drm

· GIC – <User_name>@xxxxx.com

g. Close Windows Explorer.

 

Now your organizational users can start sending across the rights protected mails, documents, excel spreadsheets, presentation and many more stuff that you intent to protect.

 

But incase you want to have classification of information like confidential, read only etc and want to assign rights uniformly at Enterprise Level, then you need to look at RMS Templates and configure them.

I would describe steps to create templates and distribute them automatically in my next post………..