Direkt zum Hauptbereich

Installing Windows 2008 R2 ADRMS and Configuring for Exchange 2010 IRM - Part 4

In previous three posts of this series I showed the procedures to install and do initial configurations for AD RMS and Exchange 2010. In this part of the post I will show how to configure desired permissions for each set of users using AD RMS policy templates. Like said in the third part of this post, the permissions assigned by default policy templates may not be enough sometimes; or you may need more rights be assigned to some users. To achieve this a functionality of AD RMS known as Rights Policy Templates comes into play. We will see how to configure these templates.
32. To create a new policy template: Select Rights Policy Templates from the left hand side pane and then click Create Distributed Rights Policy Template.
image
33. Create a folder named RMS_Templates at desired location. Share this folder and add Authenticated Users to View the folder content. After that add RMS Service account to give full control of this folder. Right click the Rights Policy Template node in above figure and then select properties. Read more at Creating an AD RMS Rights Policy Template
image
34. This will pop up Create Distributed Rights Policy Templates wizard on the screen. Click on the Add button on the wizard.
image
35. Provide a meaningful name and description to the new template that you are going to create and click on Add button.
image
36. Click Next button the wizard page that is shown in step 33.
37. Let’s us consider that you have a group of people where these people should only be able to view certain emails and should not be able to forward, reply or print these emails. You need to create a distribution group for such people using EMC and add all of them as members of it. After you have completed creating a group and adding appropriate people into it, you can now specify this group of individual users in AD RMS wizard that is open. Now you can select the ONLY View rights front the rights list box. If you want to configure the expiration, revocation or extension in policies you can do so using the wizard or can simply click to Finish.
image
38. You can set the expiration polices on the next page. Expiration policy settings are totally dependant of your company requirements.
image
39. On the next page you can specify the extended policies as shown in figure below. When you have OWA users it is recommended that you choose this setting. Click to Finish the wizard.
image
40. After you have completed the wizard you will see a new template in the AD RMS management snap in. To review the rights configured in this template you can simply right click it and select View Rights Summary.
image
41. Now the next and important steps are to deploy this template to the clients. There are few more steps to be configured and are beautifully explained in Technet article Configuring the AD RMS client.
42. Once you have configured the templates please do follow Configuring the AD RMS client for configuring clients. You can use group policy or Systems Centre Configuration Manager for deploying the settings to the whole organization.
43. If you have followed the article Configuring the AD RMS client correctly, you will be able to see the newly created templates in your AD RMS aware application. For an instance; outlook.
image
44. You will also see the XML templates downloaded the to %LocalAppData%\Microsoft\DRM\Templates folder of the currently logged on user.
    • If you do not see the content of this folder or the folder itself you must create this folder hierarchy manually.
    • Also, the registry key HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\DRM does not exist then it should be created manually to specify the value of AdminTemplatePath expandable string value.
    • The registry key for Office 2010 would change to HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\DRM
    Again, you must follow the article Configuring the AD RMS client.
    image
    In the next part of the post I will show how to use Microsoft Exchange 2010 rules to use these templates and automate the email protection to email messages and office attachments.

    Kommentare

    Beliebte Posts aus diesem Blog

    Microsoft Office 2013 aktivieren via Kommandozeile

    Wie man das neue Microsoft Office 2013 aktiviert via Kommandozeile, das werde ich euch in dem folgenden Beitrag Schritt für Schritt erklären. Gerade in grösseren Systemumgebungen in welchen die Clients und Standard Software automatisiert installiert werden, kann das sehr hilfreich sein und erspart einem viel Arbeit nach der Installation des Clients. Das Ziel sollte sein, möglichst viel zu automatisieren und soweit möglich, wenig noch händisch zu konfigurieren. Da kommt dieser Beitrag sicherlich nicht ungelegen. Die folgenden Befehle könnte man beispielsweise ganz einfach in eine MDT (Microsoft Development Toolkit) Umgebung mit einbeziehen oder auch mit anderer Software benutzen. Wichtig zu wissen ist, dass dies nur dann funktioniert, wenn Microsoft Office 2013 über das Internet aktiviert wird. Hat man einen eigenständigen Aktivierungsserver (KMS), funktioniert dies nicht. Zudem müssen die Befehle alle mit Administrator Rechte ausgeführt werden. Normale Benutzerberechtigungen genügen …

    Windows Domain Controller: Es sind momentan keine Anmeldeserver zum Verarbeiten der Anmeldeanforderung verfügbar

    Zurzeit häuft sich (warum auch immer) das Problem dass nach einem Neustart eines Windows Domain Controllers bei der Anmeldung die Fehlermeldung „Es sind momentan keine Anmeldeserver zum Verarbeiten der Anmeldeanforderung verfügbar“ kommt und eine Anmeldung so nicht möglich ist Das Problem ist hierbei das der Domain Controller im Active Directory Reperatur Modus (Abgesicherter Modus) startet. Am einfachsten lässt sich dieses Problem folgendermaßen beheben: 1) Anmeldung mit dem DSRM (Directory Services Restore Mode) / Verzeichnisdienstwiederherstellungskennwort Falls die Anmeldung nicht funktioniert kann man einen Workaround wie hier beschrieben durchführen. 2) Systemkonfiguration mittels msconfig.exe aufrufen

    WSUS won’t uninstall or re-install

    Hat heute ein Problem mit WSUS unter Windows Server 2008 R2 bei einem Kunden. Das Problem - die Clients konnten keinen Verbindung zum WSUS Server herstellen. Die Deinstallation wurde unerwartet beenden mit folgender Fehlermeldung: Attempt to un-install Windows Server Update Services failed with error code 0x80070643. Fatal error during installation  Die Lösung: I don’t like Windows Server Update Services (WSUS), but it’s the free alternative many companies select over the higher cost alternatives like Intune or Systems Center. So, today I had to repair a damaged WSUS installation. Turns out someone uninstalled SQL Server 2005 Express not realizing WSUS was using it. Now firing up the WSUS console just yielded an error complaining about the missing SQL database. So like any good troubleshootin IT guy the first thing I tried was to uninstall WSUS…sadly, however the product would not uninstall or re-install. Here’s how I finally got rid of it: [the problem] WSUS 3.0 SP2 is missing SQL serv…