共用方式為


AD RMS Policy Template Considerations

Applies To: Windows Server 2008, Windows Server 2008 R2

Rights policy templates are used to control the rights that a user or group has on a particular piece of rights-protected content. Active Directory Rights Management Services (AD RMS) stores rights policy templates in the configuration database. Optionally, it may maintain a copy of all rights policy templates in a shared folder that you specify.

When publishing protected content, the author selects the rights policy template to apply from the templates that are available on the local computer. To make rights policy templates available for offline publishing, the administrator must deploy them to client computers from a shared folder. In Windows Vista® with Service Pack 1 (SP1), Windows Server® 2008, Windows® 7, and Windows Server® 2008 R2, rights policy templates are automatically managed by the AD RMS client. A new template distribution pipeline has been created that the AD RMS client can poll for updates. If a rights policy template has been added, changed, or deleted, the client detects these changes and updates the local rights policy templates during its next refresh. The rights policy templates are stored locally on the AD RMS client running Windows Vista with SP1, Windows Server 2008, Windows 7, and Windows Server 2008 R2 in the %localappdata%\Microsoft\DRM\templates folder. For Windows XP, Windows 2000, and Windows Server 2003, the path is %appdata%\Microsoft\DRM\templates.

Note

The new rights policy templates distribution method is only available for AD RMS clients running Windows Vista with SP1, Windows Server 2008, Windows 7, and Windows Server 2008 R2. All versions of the Rights Management Services (RMS) client use the previous method for rights policy template distribution.

When you modify a rights policy template on the AD RMS server, the server updates the template in both the configuration database and the shared folder (if the AD RMS cluster is configured to specify a file location for storing copies of rights policy templates). When using AD RMS clients other than Windows Vista with SP1, Windows Server 2008, Windows 7, and Windows Server 2008 R2, you should redeploy each rights policy template to client computers when they have been modified so that users have the most current version available. AD RMS clients running Windows Vista with SP1, Windows Server 2008, Windows 7, and Windows Server 2008 R2 will automatically detect this change and update the rights policy templates accordingly. Templates can be redeployed several ways including login scripts and using group policies. For more information about deploying rights policy templates see AD RMS Client Deployment and Usage Considerations (https://go.microsoft.com/fwlink/?LinkID=153481).

AD RMS Rights Policy Template Rights Overview

Active Directory Rights Management Services (AD RMS) rights provide the means for controlling how a user can access, use, and redistribute rights-protected content. Some rights are enforced exclusively by AD RMS-enabled applications or browsers, while others are enforced primarily by the AD RMS client (although applications can still apply their own interpretation of the right).

The rights enforced by the AD RMS client control how license information is used, such as whether the license can be used to re-encrypt previously decrypted content. Rights that control how content is used are interpreted and enforced by AD RMS-enabled applications, such as those in the Microsoft Office suite. For example, The Microsoft Office suites enforce the view right by allowing a user to decrypt and view the contents of a protected document if the user has been granted the view right.

The following table lists the rights that are available by default when you create a rights policy template and gives a brief description of how the right is enforced by the AD RMS client and interpreted by common AD RMS-enabled applications.

Note

AD RMS-enabled applications can interpret these rights differently. This is intended as a general description for how these rights are typically used. Consult the documentation of the specific application for information about how these rights are enforced.

  • Full Control – If granted, this right allows a user to exercise all rights in the license, whether or not the rights are specifically granted to that user.

  • View – If this right is granted, the AD RMS client allows protected content to be decrypted. Typically, when this right is granted, the application will allow the user to view protected content.

  • Edit - If this right is granted, the AD RMS client allows protected content to be decrypted and then re-encrypted by using the same content key. Typically, when this right is granted, the application will allow the user to change protected content and then save it to the same file. This right is effectively identical to the Save right.

  • Save - If this right is granted, the AD RMS client allows protected content to be decrypted and then re-encrypted by using the same content key. Typically, when this right is granted, the application will allow the user to change protected content and then save it to the same file. This right is effectively identical to the Edit right.

  • Export (Save As) - If this right is granted, the AD RMS client allows protected content to be decrypted and then optionally re-encrypted by using the same content key. Typically, when this right is granted, the application will allow the user to use the “Save As” feature to save protected content to a new file. Depending on the application, the content might be saved without protection.

  • Print - Typically, when this right is granted, the application will allow the user to print protected content.

  • Forward - Typically, when this right is granted, the application will allow an e-mail recipient to forward a protected message.

  • Reply - Typically, when this right is granted, the application will allow an e-mail recipient to reply to a protected message and include a copy of the original message.

  • Reply All - Typically, when this right is granted, the application will allow an e-mail recipient to reply to all recipients of a protected message and include a copy of the original message.

  • Extract - Typically, when this right is granted, the application will allow the user to copy and paste information from protected content.

  • Allow Macros - Typically, when this right is granted, the application will allow the user to run macros in the document or use an editor to modify macros in the document.

  • View Rights - If this right is granted, the AD RMS client allows a user to create a new publishing license from the existing license, but the content key is not preserved.

  • Edit Rights - If this right is granted, the AD RMS client allows a user to edit the user rights that are assigned by the license while keeping the same content key.

AD RMS-enabled applications, such as those in the Microsoft Office suites, can use AD RMS rights policy templates. When a user applies a rights policy template to content, the rights and conditions it describes become part of the publishing license.

When you open an AD RMS-enabled application, the application retrieves the rights policy templates from the assigned path, which is specified in a registry location. This location can vary depending on the application. The following are the registry locations for Microsoft Office and the XPS Viewer.

Microsoft Office AdminTemplatePath registry key:

HKCU\Software\Microsoft\Office\<X>.0\Common\DRM
(where <X> must be replaced with 11, 12 or 14 for Office 2003, Office 2007 and Office 2010 respectively)

REG_EXPAND: AdminTemplatePath

Value: <path to your AD RMS template> (%LocalAppData%\Microsoft\DRM\Templates)

XPS Viewer AdminTemplatePath registry key:

HKCU\Software\Microsoft\XPSViewer\Common\DRM

REG_EXPAND: AdminTemplatePath

Value: <path to your AD RMS template> (%LocalAppData%\Microsoft\DRM\Templates)

The following table presents the three options for defining the location of the rights policy templates. It also provides the advantages and disadvantages of each.

Solution Component Installation Methods Benefits Consequences

Local computer

  • Copied by script

  • Configured using a custom Office 2003 Installation Pack.

  • Using SMS and template distribution WMI job.

  • Users can rights-protect documents using the rights policy templates available on the machines to which they are logging on.

  • Requires procedures for updating and maintaining the template per user in each computer that a user access.

Shared folder

  • Define internal path to locate templates.

  • Single point to access the rights policy templates.

  • Lack of connectivity on RMS-enabled clients can “disable” the templates, which will make them disappear from the user’s menu.

Shared folder using offline folders

  • Define internal path to locate templates.

  • Single point to access the rights policy templates and configure offline folder use.

  • Requires additional configuration settings.

  • Requires end-user training.

The following table presents the location where you can configure offline folder usage for Active Directory Rights Management Services Template location.

Solution Component Path Configuration Settings

Offline folder location in GPO

Users Configuration node\Administrative Templates\Network\Offline Files

Setting - State

  • Synchronize all offline files when logging on - Enabled

  • Action on Server disconnect - Enabled, and select work offline

  • Non-default server disconnect actions - Enabled, and populate Show value with path (FQDN) of Share Folder. Example: \\rms01.contoso.local\Templates (provide 0 value)

  • Administratively assigned offline files - Enabled, and populate Show value with path (FQDN) of Share Folder. Example: \\rms01.contoso.local\Templates (do not provide additional parameters)

For more information about configuring rights policy templates see Configuring Rights Policy Templates. (https://go.microsoft.com/fwlink/?LinkId=153708).

For more information about setting up rights policy templates see AD RMS Rights Policy Templates Deployment Step-by-Step Guide (https://go.microsoft.com/fwlink/?LinkId=153712).

For more information about deploying rights policy templates see AD RMS Client Deployment and Usage Considerations (https://go.microsoft.com/fwlink/?LinkID=153481).

For more information about developing rights policy templates and extended policy template information see Templates on MSDN (https://go.microsoft.com/fwlink/?LinkId=154807).

Template Distribution

AD RMS templates are used to standardize security policies and keep all information protected according to the latest policy defined. AD RMS rights policy templates provide content authors with an efficient means to implement rights protection of content across the enterprise. Using templates, administrators can restrict rights and conditions for all content that is protected by a policy that is based on groups of users. These options can be distributed throughout the company in several ways. Note that AD RMS offers multiple-language support in a single template, which enables an administrator to create one template that can be used throughout the enterprise.

To ease distribution of rights policy templates, AD RMS introduces a new rights policy template distribution pipeline. This new pipeline allows an AD RMS client to request rights policy templates stored on the AD RMS cluster and store them locally on the client computer. This functionality is available only with AD RMS clients in Windows Vista with SP1, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

For AD RMS clients that are not running on Windows Vista with SP1, Windows Server 2008, Windows 7, and Windows Server 2008 R2, you can manually distribute the rights policy templates from a central location to the client. Some distribution methods include using Systems Management Server (SMS) / System Center Configuration Manager, Group Policy, or manually copying the templates to the client computer through scripts.

For additional information on creating rights policy templates see: Configuring Rights Policy Templates (https://go.microsoft.com/fwlink/?LinkID=153708).

For additional information on setting up rights policy templates see: AD RMS Rights Policy Templates Deployment Step-by-Step Guide (https://go.microsoft.com/fwlink/?LinkID=153712).

Automated propagation through default job in Vista SP1

The AD RMS client in Windows Vista® with Service Pack 1 (SP1) requests rights policy templates from the AD RMS cluster by using a scheduled task, which is configured to query the template distribution pipeline on the AD RMS cluster and then gather the templates from that path. This job can be set as automated for internal use or executed manually for use from machines with sporadic connectivity to the AD RMS cluster.

A scheduled task is configured by default in Windows Vista to run up to one hour after a user logs on to the computer and every morning at 03:00. This scheduled task is disabled by default but you can enable and change the default configuration by using the Task Scheduler control panel or by using Group Policy. After the scheduled task is enabled you must configure a registry entry so that the 2007 Microsoft Office System can locate the directory in which the rights policy templates are stored.

The automated scheduled task works only on computers that are joined to your organization’s domain. There is also a manual scheduled task that should be used for users with a domain account who are using a client computer that is not joined to your organization’s domain. The manual task will only download the templates immediately after being started and when the user logs in. In order for the manual scheduled task to work in such clients, you must configure the Enterprise Publishing client registry override found in the following registry entry:

HKEY_LOCAL_MACHINE\Software\Microsof\MSDRM\ServiceLocation\EnterprisePublishing

To enable the automated scheduled task in a Windows Vista AD RMSclient:

  1. Log on to an AD RMS client with an account that has administrative rights to the client.

  2. Click Start, and then click Control Panel.

  3. Double-click Administrative Tools, and then double-click Task Scheduler.

  4. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  5. Expand Task Scheduler Library, expand Microsoft, expand Windows, and then click Active Directory Rights Management Services Client.

  6. Right-click AD RMS Rights Policy Template Management (Automated), and then click Enable.

  7. Close Task Scheduler.

  8. Log on to an AD RMS client with a standard user account, wait for about an hour, and check the following directory: %LocalAppData%\Microsoft\DRM\Templates where %LocalAppData% equals C:\Users\logonID\AppData\Local. Once the rights policy templates are copied to the client, you are ready to use the templates.

You can configure the template download path by using the following registry entry:

  1. Click Start, type regedit.exe in the search box, and then press ENTER.

  2. Expand the following registry key: HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\DRM (if any of the subkeys do not exist, create them).

  3. Right-click DRM, click New, and then click Expandable String Value.

  4. In the Value name box, type AdminTemplatePath, and then press ENTER.

  5. Double-click the AdminTemplatePath registry value and type %LocalAppData%\Microsoft\DRM\Templates in the Value data box, and then click OK.

  6. Close Registry Editor.

The automated scheduled task can also be enabled from the command prompt or though Systems Management Server or Group Policy by using the following command:

schtasks /Change /TN "\Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Automated)" /ENABLE

The following is a short Visual Basic script example for using the schtasks command.

Option Explicit
Dim WshShell
Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.Run "schtasks /Change /TN ""Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Automated)"" /ENABLE"

The automated scheduled task will not query the AD RMS template distribution pipeline each time that this scheduled task runs. Instead, it checks the updateFrequency DWORD value registry entry. This registry entry specifies the time interval (in days) after which the client should update its rights policy templates. By default the registry key is not present on the client computer. In this scenario, the client checks for new, deleted, or modified rights policy templates every 30 days. To configure an interval other than 30 days, create a registry entry at the following location:

HKEY_CURRENT_USER\Software\Microsoft\MSDRM\TemplateManagement.

In this registry key, you can also configure the updateIfLastUpdatedBeforeTime value, which forces the client computer to update its rights policy templates.

Distribution on legacy clients

On older clients such as Windows XP, the new rights policy template distribution pipeline is not available. For these AD RMS clients you can manually distribute the rights policy templates from a central location to the client. Some distribution methods include using Systems Management Server (SMS) / System Center Configuration Manager, Group Policy, or manually copying the templates to the client computer through scripts.

For any template distribution mechanism that will gather the template files from one central location you must configure an export location for the rights policy templates. The rights policy templates exported to this shared folder must be copied to the folder specified in the AdminTemplatePath registry entry.

HKCU\Software\Microsoft\Office\12.0\Common\DRM

REG_EXPAND_SZ: AdminTemplatePath

Value: <path to your AD RMS templates>

See the Office Registry Settings section earlier in this document for additional information.

Note that the XPS viewer requires that you set a registry key in order to display the templates. You will need to define the following registry key for use of rights templates with XPS:

HKCU\Software\Microsoft\XPSViewer\Common\DRM

REG_SZ: AdminTemplatePath

Value:<path to templates>

See the XPS Registry Settings section earlier in this document for additional information.

Notice that the XPS path needs to use a REG_SZ path which means that you cannot use an environment variable and must create a separate path to store the template.

Distribution through login scripts

Login scripts can help distribute the rights policy templates by copying them from a file share to the local computers. Once you create a script, you can provide the script to the AD RMS user clients via Group Policy object (GPO). Be aware that the login script runs every time a user logs on to the computer.

To enable login scripts, you will need to:

  1. Create a script and store it in a location within the SYSVOL folder.

  2. Assign the permissions to the script to run.

  3. Assign the script to GPO.

Create a script and store it in a location within the SYSVOL folder

You can use logon scripts to assign tasks that will be performed when a user logs on to a particular computer. The scripts can be stored in the following the location in a Windows Server 2008 domain controller where GUID is hexadecimal string for specific Group Policy object in use.

%SystemRoot%\SYSVOL\sysvol\<domain DNS name>\Policies\{GUID}\User\Scripts\Logon

Note

If you are using a Windows Server 2003 domain controller, you can store the login script in the following location:
%SystemRoot%t\SYSVOL\sysvol\domainname \scripts

Sample logon script:

' -------------------------------------------------------------------' 
' This is an example Visual Basic script to copy the xml files to the ADRMS 
' template locations for both Windows XP SP2 and Windows Vista. 
' 
' This script always copies the xml files to the location. You 
' can improve the script to copy the files only when not existing or when 
' updated. You should also add error checking. Make sure that a firewall  
' is open to copy the files through a network.
' --------------------------------------------------------------------
Option Explicit   

Dim Obj,objFileSys
Dim OSVersion
Dim ADRMSTemplatePath, ADRMSTempatePathParent
Dim pathUserProfile, pathLocalAppData
Dim orginalTemplatePath

' -------------------------------------------------------------------- 
' Change this file location for AD RMS rights policy templates. 
' --------------------------------------------------------------------
orginalTemplatePath = "\\FileServer\Templates\*.xml"

Set Obj=WScript.CreateObject("Wscript.Shell") 
Set objFileSys = CreateObject("Scripting.FileSystemObject")

OSVersion=Obj.RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentVersion") 

' --------------------------------------------------------------------
' Check operating system version and call create directory and copy
' the file functions.
' --------------------------------------------------------------------
If OSVersion = 5.1 then  ' XP
 pathUserProfile=ExpandEnvironment("%USERPROFILE%") 
 ADRMSTemplatePath = objFileSys.BuildPath(pathUserProfile, "Application Data\Microsoft\DRM\Templates")
CreateFolderAndCopy(ADRMSTemplatePath)
Elseif  OSVersion = 6.0 then  ' Vista
 pathLocalAppData=ExpandEnvironment("%LocalAppData%")
 ADRMSTemplatePath = objFileSys.BuildPath(pathLocalAppData, "Microsoft\DRM\Templates")
CreateFolderAndCopy(ADRMSTemplatePath)
Else ' add more if you wish
End If

Set Obj = Nothing
Set objFileSys = Nothing

' --------------------------------------------------------------------
' Create folder and copy subroutine.
' --------------------------------------------------------------------
Sub CreateFolderAndCopy(Path)

ADRMSTempatePathParent = objFileSys.GetParentFolderName(Path)

If objFileSys.FolderExists(Path) <> True Then
 if objFileSys.FolderExists(ADRMSTempatePathParent) <> True then
    objFileSys.CreateFolder ADRMSTempatePathParent
 End If
    objFileSys.CreateFolder Path
End If

'  add path and error checking 
objFileSys.CopyFile orginalTemplatePath, Path

End Sub

' --------------------------------------------------------------------
' Get environment variable.
' --------------------------------------------------------------------

Function ExpandEnvironment(Environment)   
  
    On Error Resume Next  
    Dim objWshShell        
  
    Set objWshShell = WScript.CreateObject("WScript.Shell")   
    If Err.Number = 0 Then  
        ExpandEnvironment = objWshShell.ExpandEnvironmentStrings(Environment)   
    Else  
        WScript.Echo "Error: " & Err.Description   
    End If  
  
    Set objWshShell = Nothing  
End Function  

Assign the script to GPO

After you copy the script to the appropriate location, use the following steps:

  1. Open Group Policy Management console and navigate to Group Policy Objects tree view under your domain.

  2. Right-click an appropriate Group Policy object and click Edit. If none exists, create a new Group Policy object.

  3. In the Group Policy Management Editor, locate the following folder:

    User Configuration\Policies\Windows Settings\Scripts (Logon/Logoff)

  4. Double-click the Logon script object. Click Add, click Browse, and then click the script you want to add.

  5. After you select the script, click Open, and then click OK.

  6. Click OK, and then close the Group Policy Management console.

For more information see Create System Startup / Shutdown and User Logon / Logoff Scripts (https://go.microsoft.com/fwlink/?LinkId=154253).

Distribution through group policy

Rights templates may also be deployed through group policy. For this to work you first need to package your template files into a Windows Installer package. A Windows Installer package includes a Windows Installer definition file that includes files to be deployed and instructions on what to do with them. Explaining how to create a Windows Installer package is beyond the scope of this document, for instructions about different alternatives to create Windows Installer packages see Packaging Software for Deployment (https://go.microsoft.com/fwlink/?LinkId=154255).

File Share with Offline Folders

Another possibility is to access the rights policy templates directly from a file share. To distribute rights policy template through a file share, not only do you need to define local override and configure an export location for the rights policy templates, but you must also copy the rights policy templates to this shared folder.

For more detailed information about deploying rights policy templates using offline folders see AD RMS Client Deployment and Usage Considerations (https://go.microsoft.com/fwlink/?LinkID=153481).

Deployment with an Office Package

In Office 2007, you can use the Office Customization Tool (OCT) to customize an installation of the 2007 Microsoft Office system that allows you to distribute AD RMS rights policy templates to a local hard drive. Previous versions of the Office suite required several tools to customize the setup and to manage Office after installation. The new setup architecture in 2007 Office System simplifies the process of customizing the installation by using a single technology, Windows Installer patching (.MSP files).

Use the following steps to embed AD RMS templates and distribute them:

  1. Copy all of the Office 2007 System setup files and folders into a location, for example \\server\share\Office2007 where you want to install from.

  2. Store AD RMS rights policy templates and batch files into the Update folder in Office 2007 System setup directory.

  3. Run the 2007 Office System setup executable file with the /admin command-line switch, for example \\Server\Share\Office2007\setup.exe /admin.

  4. Choose Office 2007 Enterprise.

  5. In left pane, under Setup, click Add installations and run programs, and add a batch file to create an AD RMS rights policy template folder, and copy the templates. The following is a sample batch file:

    @echo off
    
    rem ** create a adrms template folder
    
    md %LOCALAPPDATA%\Microsoft\DRM\
    md %LOCALAPPDATA%\Microsoft\DRM\Templates\
    
    rem ** copy all of the files and del original
    
    xcopy %APPDATA%\Microsoft\Office\*.xml %LOCALAPPDATA%\Microsoft\DRM\Templates /y /s  /q
    del %APPDATA%\Microsoft\Office\*.xml
    
  6. In left pane, under Additional content, click Add files, and add AD RMS policy templates, selecting the files from Update folder. Select the destination path as [AppDataFolder\Microsoft\Office]. If you change this, modify the location of the templates in the batch file above as well.

  7. Save the MSP file into the location of Update folder.

  8. Run setup.exe to install Office Enterprise 2007.

Multilingual user interface (MUI) considerations for identifying rights policy templates

When setting the identification language for a rights policy template, some inconsistencies can occur when adding or modifying the supported set of languages for rights policy templates.

For example, when you first add an initial identification language using the Create Distributed Rights Policy Template wizard from within the AD RMS console to create a template, the value of Language descriptor displayed in the Template Identification list will display the language by name using native characters from that locale language. This behavior differs from the displayed view of the Language descriptor when viewing this same information on the Identification Information tab for properties of an existing rights policy template, where the descriptor will then be displayed using the localized language name (for example, “Chinese (Simplified, PRC”). Also, this issue occurs for all languages listed when more than a single language is added for template identification purposes.