microsoft windows server 2008 r2 - ad rms bulk protection tool and file classification...
DESCRIPTION
TRANSCRIPT
AD RMS Bulk Protection Tool and File Classification Infrastructure – Step-by-Step
Microsoft Corporation
Published: January 2010
Author: Bill Mathers
Editor: John Andrilla
Acknowledgements
Special thanks to the following people for reviewing and providing invaluable feedback for this
document:
Clinton Ho, Microsoft Corporation.
Matthias Wollnik, Microsoft Corporation.
Saket Kataruka, Microsoft Corporation.
Jason Tyler, Microsoft Corporation.
.
AbstractThis document will assist architects, consultants, system engineers, and system administrators in
deploying the AD RMS Bulk Protection Tool in conjunction with Windows Server 2008 R2 File
Classification Infrastructure.
Copyright
The information contained in this document represents the current view of Microsoft Corporation
on the issues discussed as of the date of publication. Because Microsoft must respond to
changing market conditions, it should not be interpreted to be a commitment on the part of
Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the
date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the
rights under copyright, no part of this document may be reproduced, stored in or introduced into a
retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission
of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail
addresses, logos, people, places and events depicted herein are fictitious, and no association
with any real company, organization, product, domain name, e-mail address, logo, person, place
or event is intended or should be inferred.
© 2009 Microsoft Corporation. All rights reserved.
Active Directory, Microsoft, MS-DOS, Visual Studio, Windows, and Windows NT are either
registered trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
Contents
AD RMS Bulk Protection Tool and FCI Step-by-Step......................................................................5
About this Guide.......................................................................................................................... 5
What This Guide Does Not Provide.........................................................................................5
Requirements for this Document....................................................................................................6
The Scenario.................................................................................................................................. 7
Scenario description.................................................................................................................... 7
The testing environment...........................................................................................................7
Required Groups...................................................................................................................... 8
Required accounts................................................................................................................... 9
Implementing the Procedures in this Document.............................................................................9
Step 1 - Create FabrikamUsers Organizational Unit.....................................................................10
Step 2 - Create Test Users............................................................................................................10
Step 3 - Create Test Groups.........................................................................................................12
Step 4 - Add Users to Groups.......................................................................................................14
Step 5 - Install FCI on Windows Server 2008 R2..........................................................................14
Step 6 - Install AD RMS Bulk Protection Tool................................................................................15
Step 7 - Create ADRMSPublic Shared Folder..............................................................................16
Step 8 - Create Fabrikam Confidential Rights Policy Template.....................................................16
Step 9 - Create Fabrikam FTE Confidential Rights Policy Template.............................................17
Step 10 - Add AD RMS Cluster URL to Local Intranet for Local System.......................................18
Step 11 - Grant FCI Machine Account Read and Execute Permissions........................................19
Step 12 - Grant AD RMS Service Group Read and Execute Permissions....................................20
Step 13 - Create FabrikamDocuments Shared Folder..................................................................21
Step 14 - Grant FCI Server Send As Rights..................................................................................22
Step 15 - Configure FCI for E-mail Notification.............................................................................22
Step 16 - Change Timeout on Certification Path Validation Settings.............................................23
Step 17 - Create Business Impact Classification Property............................................................24
Step 18 - Create dateEncrypted Classification Property...............................................................25
Step 19 - Create LBI Classification Rule.......................................................................................25
Step 20 - Create HBI Classification Rule......................................................................................26
Step 21 - Restrict Files to Fabrikam Employees...........................................................................27
Step 22 - Restrict Files to Full-Time Fabrikam Employees...........................................................28
Testing the Implementation...........................................................................................................30
Step 1 - Create an Intellectual Property Word Document.............................................................30
Step 2 - Create a General Word Document..................................................................................31
Step 3 - Run File Server Resource Manager Classification Rules................................................31
Step 4 - Run File Management Tasks...........................................................................................32
Step 5 - Consume Documents As Britta Simon............................................................................32
Consume Documents as Britta Simon.......................................................................................33
Step 6 - Consume Documents As Lola Jacobson.........................................................................33
Consume Documents as Lola Jacobson...................................................................................33
Step 7 - Check Administrator's Email............................................................................................34
Appendix A - MarkLBIandProtect Windows Powershell Script......................................................35
Appendix B - MarkHBIandProtect Windows PowerShell Script....................................................36
Appendix C - Using a Regular Expression with FCI......................................................................37
AD RMS Bulk Protection Tool and FCI Step-by-Step
About this GuideThis step-by-step guide walks you through the process of configuring the AD RMS Bulk
Protection Tool and FCI in a test environment. Windows Server 2008 R2 File Classification
Infrastructure provides a built-in solution for file classification allowing administrators to automate
manual processes with predefined policies based on the data’s business value..
In this guide, the AD RMS Bulk Protection Tool will be used in conjunction with FCI to apply AD
RMS rights policies based on the classifications that are determined by FCI.
As you complete the steps in this guide, you will:
Install File Classification Infrastructure on Windows Server 2008 R2
Install and Configure the AD RMS Bulk Protection Tool
Configure FCI to use the AD RMS Bulk Protection Tool to apply policies based on business
impact.
Verify the policies have been applied successfully.
What This Guide Does Not ProvideThis guide does not provide the following:
Guidance for setting up and configuring Active Directory Domain Service in either a
production or test environment. This guide assumes that Active Directory Domain Services is
already configured in the test environment. For more information about configuring Active
Directory Domain Services see, AD DS Installation and Removal Step-by-Step Guide
(http://go.microsoft.com/fwlink/?LinkId=154567).
Guidance for setting up and configuring Active Directory Certificate Services in either a
production or test environment. This guide assumes that Active Directory Certificate Services
is already configured and working in the test environment. You must ensure that you have a
valid SSL certificate and the certificate chain is trusted in order for the AD RMS Bulk
Protection tool to automatically bootstrap the machine and the FCI Local System account.
For more information about configuring Active Directory Certificate Services, see the Active
Directory Certificate Services (http://go.microsoft.com/fwlink/?LinkId=179761).
Guidance for setting up and configuring AD RMS in either a production or test environment.
This guide assumes that AD RMS is already configured and working in the test environment.
For more information about configuring AD RMS, see the AD RMS Step-by-Step Guide
(http://go.microsoft.com/fwlink/?LinkID=154256).
5
Guidance for setting up and configuring Exchange Server 2007 SP1 in either a production or
test environment. This guide assumes that Exchange 2007 SP1 is already setup and
configured in the test environment. For more information about configuring Exchange Server
2007 SP1, see Microsoft Exchange Server 2007 (http://go.microsoft.com/fwlink/?
LinkId=154564).
Guidance for setting up and configuring Windows Powershell in either a production or test
environment. This guide assumes that Windows Powershell is already setup and configured
in the test environment on the FCI.fabrikam.com server. For more information about
configuring Windows Powershell using Server Manager, see Windows Server 2008 Server
Manager Technical Overview (http://go.microsoft.com/fwlink/?LinkId=178642).
Guidance for installing psexec in either a production or test environment. Psexec is a light-
weight telnet-replacement that lets you execute processes on other systems, complete with
full interactivity for console applications, without having to manually install client software.
This guide assumes that psexec is already setup and configured in the test environment on
the CLT1.fabrikam.com client. For more information about psexec, see PsExec v1.97
(http://go.microsoft.com/fwlink/?LinkId=179150).
Requirements for this Document
The following table will provide a summary of the Microsoft software that was used in this guide.
Software Additional Information
Windows Server® 2008 Enterprise 32-bit
edition
Windows Server® 2008 Enterprise
(http://go.microsoft.com/fwlink/?LinkId=156710)
Windows Server® 2008 R2 Windows Server® 2008 R2
(http://go.microsoft.com/fwlink/?LinkId=165669)
Windows® 7 Enterprise Windows® 7 Enterprise
(http://go.microsoft.com/fwlink/?LinkId=160776)
Active Directory Domain Service Active Directory
(http://go.microsoft.com/fwlink/?LinkId=156712)
Active Directory Certificate Services Active Directory Certificate Services
(http://go.microsoft.com/fwlink/?LinkId=179761)
Active Directory Rights Management Services
(AD RMS)
Active Directory Rights Management Services
(AD RMS) (http://go.microsoft.com/fwlink/?
LinkId=163969)
Microsoft SQL Server 2008 Service Pack 1 –
64-bit edition
Microsoft SQL Server 2008
(http://go.microsoft.com/fwlink/?LinkId=156714)
6
Microsoft Exchange Server 2007 Service Pack
1 – 64-bit
Microsoft Exchange Server 2007
(http://go.microsoft.com/fwlink/?LinkId=156715)
Microsoft Office 2007 with Service Pack 2 Microsoft Office 2007
(http://go.microsoft.com/fwlink/?LinkId=156717)
Microsoft Hyper-V Microsoft Hyper-V
(http://go.microsoft.com/fwlink/?LinkID=156719)
File Classification Infrastructure FCI (http://go.microsoft.com/fwlink/?
LinkId=165668)
Microsoft Windows Powershell 2.0 Windows Powershell 2.0
(http://go.microsoft.com/fwlink/?LinkId=178634)
Internet Information Services (IIS) 7.0 IIS 7.0 (http://go.microsoft.com/fwlink/?
LinkId=160778)
AD RMS Bulk Protection Tool AD RMS Bulk Protection Tool
(http://go.microsoft.com/fwlink/?LinkId=166237).
Sysinternals PsExec PsExec v1.97 (http://go.microsoft.com/fwlink/?
LinkId=179150)
The Scenario
Scenario descriptionFabrikam, a fictitious company, has a number of file servers that store the company’s documents.
These documents may be general documentation or may have a high business impact (HBI). For
example, any document that contains Intellectual Property is deemed, by Fabrikam, to have a
high business impact. Fabrikam wants to ensure that all their documentation has a minimum
amount of protection and that their HBI documentation is restricted to only full time employees.
In order to accomplish this, Fabrikam is exploring using the AD RMS Bulk Protection Tool in
conjunction with File Classification Infrastructure (FCI) available in Windows Server 2008 R2.
Using FCI, Fabrikam will classify all of the documents on their file server based on the content
and then use the AD RM Bulk Protection Tool to apply the appropriate rights policy. Fabrikam has
setup a test environment to evaluate these functions.
The testing environmentThe scenario outlined in this document has been developed and tested on two stand-alone
computers running the 64-bit editions of the Windows Server® 2008 R2 operating system and
7
Hyper-V. The servers have two 3.0 gigahertz (GHz) dual core processors and 8 gigabytes (GB) of
RAM each. Using Hyper-V, the following seven virtual machines were created on the hosts.
Table 1 Virtual Machines and Roles
Computer
Name
Forest Operating System Memory Applications
and Services
IP Address
DC fabrikam.com Windows
Server 2008 x64
SP2
512 Active
Directory,
DNS,
Certificate
Authority
192.168.100.100
EX fabrikam.net Windows
Server 2008 x64
SP2
2048 Exchange
2007, IIS 7.0.
192.168.100.101
ADRMS fabrikam.com Windows
Server® 2008 R2
x64
1024 AD RMS, SQL
Server 2008
SP1, IIS 7.0
192.168.100.102
FCI fabrikam.com Windows
Server® 2008 R2
x64
1024 File
Classification
Infrastructure
192.168.100.103
CLT1 fabrikam.com Windows 7
Enterprise x86
1024 Microsoft
Office
Word 2007
Enterprise
Edition SP2
192.168.100.104
CLT2 fabrikam.com Windows 7
Enterprise x86
1024 192.168.100.105
Hyper-V is not a requirement to complete the steps outlined later. These steps can be
implemented on physical computers as long as they reflect the same roles as the preceding table.
Required GroupsThe following table summarizes the universal groups used in this step-by-step guide.
Table 2 Group Summary
Group Name Group Scope Group Type
All Staff Universal Security
8
Group Name Group Scope Group Type
All FTE Universal Security
All Contractors Universal Security
Required accountsThe following table summarizes the accounts used in this step-by-step guide.
Table 3 Required Accounts
Account Display
name
Forest Group
Membership
Password Description
bsimon Britta Simon fabrikam.com All FTE Pass1word$ User account.
ljacobson Lola
Jacobson
fabrikam.net All Contractors Pass1word$ User account.
Implementing the Procedures in this Document
The following steps will guide you through setting up the initial environment. This part of the
document will illustrate setting up the AD RMS Bulk Protection Tool and FCI.
This section is comprised of the following steps:
1. Step 1 – Create FabrikamUsers Organizational Unit
2. Step 2 – Create Test Users
3. Step 3 – Create Test Groups
4. Step 4 – Add Users to Groups
5. Step 5 – Install FCI on Windows Server 2008 R2
6. Step 6 – Install the AD RMS Bulk Protection Tool
7. Step 7 – Create ADRMSPublic Shared Folder
8. Step 8 – Create Fabrikam Confidential Rights Policy Template
9. Step 9 – Create Fabrikam FTE Confidential Rights Policy Template
10. Step 10 - Add the AD RMS Cluster URL to Local Intranet
11. Step 11 – Grant FCI Machine Account Read and Execute Permissions
12. Step 12 – Grant AD RMS Service Group Read and Execute Permissions
13. Step 13 – Create FabrikamDocuments Shared Folder
9
14. Step 14 – Grant FCI Server Send As Rights
15. Step 15 – Configure FCI for E-mail Notification
16. Step 16 – Change Timeout on Certification Path Validation Settings
17. Step 17– Create Business Impact Classification Property
18. Step 18 – Create dataEncrypted Classification Rule
19. Step 19 – Create LBI Classification Rule
20. Step 20 – Create HBI Classification Rule
21. Step 21 – Restrict Files to Fabrikam Employees
22. Step 22 – Restrict Files to Full-time Employees
Step 1 - Create FabrikamUsers Organizational Unit
This step explains how to create an organizational unit in fabrikam.com. This organizational unit
will store all of the test users.
1. Log on to DC.fabrikam.com as Administrator
2. Click Start, select Administrative Tools, and click Active Directory Users and
Computers. This will open the Active Directory Users and Computers mmc.
3. In the Active Directory Users and Computers mmc, from the tree-view on the left,
right-click fabrikam.com, select New, and then Organizational Unit.
4. In the Name textbox, type FabrikamUsers. Click OK.
5. Close Active Directory Users and Computers.
Step 2 - Create Test Users
This step explains how to create and mailbox-enable the test users in fabrikam.com. These
accounts will be used to verify that the AD RMS Bulk Protection Tool and FCI are working
correctly.
Table 1 Required Accounts
First Name Last Name User logon
name
Display name Forest Password
Britta Simon bsimon Britta Simon fabrikam.com Pass1word$
To create the organizational unit
10
First Name Last Name User logon
name
Display name Forest Password
Lola Jacobson ljacobson Lola
Jacobson
fabrikam.com Pass1word$
1. Log on to the DC.corp.fabrikam.com Server as Administrator.
2. Click Start, select Administrative Tools, and click Active Directory Users and
Computers.
3. Expand fabrikam.com, right-click FabrikamUsers, select New and then select User.
This will bring up the New Object – User window.
4. On the New Object – User screen, in the First Name box, enter Britta.
5. On the New Object – User screen, in the Last Name box, enter Simon.
6. On the New Object – User screen, in the User logon name: box, enter bsimon and
click Next.
7. On the New Object – User screen, in the Password box, enter Pass1word!.
8. On the New Object – User screen, in the Confirm Password box, enter Pass1word!.
9. On the New Object – User screen, remove the check from User must change
password at next logon.
10. On the New Object – User screen, add a check to Password never expires and click
Next.
11. Click Finish.
12. Repeat these steps for all of the accounts listed in the Account Summary table.
1. Log on to the EX.fabrikam.com Server as Administrator
2. Click Start, click All Programs, click Microsoft Exchange Server 2007, and click
Exchange Management Console.
3. In the Exchange Management Console, expand Recipient Configuration, and click
Mailbox.
4. On the right, in the Actions pane, click New Mailbox… to start the New Mailbox wizard.
5. On the Introduction screen, select User Mailbox and click Next.
6. On the User Type screen, select Existing users and click Add. This will bring up the
Select User – fabrikam.com screen.
7. From the list, using the Ctrl key, select Britta Simon and Lola Jacobson then click OK.
8. Click Next.
9. On the Group Information click Next.
To create the test User Accounts
To Mailbox-Enable the User Accounts
11
10. On the Mailbox Settings screen, under Mailbox database click Browse. This will bring
up the Select Mailbox Database screen.
11. Select the Mailbox Database and click OK. Click Next.
12. On the New Mailbox screen, click Next.
13. On the Completion screen, verify that it was successful and click Finish
14. Close Exchange Management Console
Step 3 - Create Test Groups
This step explains how to create and mail-enable the test groups in fabrikam.com. It also
explains how to make certain groups members of other groups. These groups will be used to
determine who has usage rights to the protected content created later in this guide.
Table 1 Group Summary
Group Name Group Scope Group Type
All Staff Universal Security
All FTE Universal Security
All Contractors Universal Security
1. Log on to the DC.fabrikam.com Server as Administrator.
2. Click Start, select Administrative Tools, and click Active Directory Users and
Computers.
3. Expand fabrikam.com, right-click FabrikamUsers, select New and then select Group.
This will bring up the New Object – Group window.
4. On the New Object – Group screen, in the Group Name box, enter All Staff.
5. On the New Object – Group screen, under Group scope , select Universal.
6. On the New Object – Group screen, under Group type, select Security.
7. Click Ok.
8. Repeat these steps for all of the groups listed in the Group Summary table.
1. Log on to the EX.fabrikam.com Server as Administrator
2. Click Start, click All Programs, click Microsoft Exchange Server 2007, and click
To create the test Groups
To Mail-Enable the Security Groups
12
Exchange Management Console.
3. In the Exchange Management Console, expand Recipient Configuration, and click
Distribution Group.
4. On the right, in the Actions pane, click New Distribution Group… to start the New
Distribution Group wizard.
5. On the Introduction screen, select Existing group and click Browse. This will bring up
the Select Group – fabrikam.com screen.
6. From the list, select All Staff and click OK.
7. Click Next.
8. On the Group Information click Next.
9. On the New Distribution Group screen click New.
10. On the Completion screen, verify that it was successful and click Finish
11. Close Exchange Management Console
12. Repeat these steps for all of the groups listed in the Group Summary table.
1. Log on to the DC.fabrikam.com Server as Administrator.
2. Click Start, select Administrative Tools, and click Active Directory Users and
Computers.
3. Expand fabrikam.com, select FabrikamUsers, right-click All Staff, and select
Properties. This will bring up the All Staff Properties window.
4. On the Members tab, click Add. This will bring up the Select Groups dialog box.
5. On the Select Groups dialog box, under Enter the object names to select (examples)
box, enter All FTE and click Check Names. This should resolve with an underline.
6. Click Ok. This will close the Select Groups dialog box.
7. On the Members tab, click Add. This will bring up the Select Groups dialog box.
8. On the Select Groups dialog box, under Enter the object names to select (examples)
box, enter All Contractors and click Check Names. This should resolve with an
underline.
9. Click Ok. This will close the Select Groups dialog box.
10. On the All Staff Properties window, click Apply.
11. Click Ok. This will close the All Staff Properties dialog box.
12. Close Active Directory Users and Computers.
Add All FTE group and All Contractors group to All Staff group
13
Step 4 - Add Users to Groups
This step explains how to add the previously created users to the previously created security
groups
Table 1 Account Summary
First Name Last Name User logon name Member of
Britta Simon bsimon All FTE
Lola Jacobson ljacobson All Contractors
1. Log on to the DC.fabrikam.com Server as Administrator.
2. Click Start, select Administrative Tools, and click Active Directory Users and
Computers.
3. Expand fabrikam.com, select FabrikamUsers, right-click Britta Simon, and select
Properties. This will bring up the Britta Simon Properties window.
4. On the Member of tab, click Add. This will bring up the Select Groups dialog box.
5. On the Select Groups dialog box, under Enter the object names to select (examples)
box, enter All FTE and click Check Names. This should resolve with an underline.
6. Click Ok. This will close the Select Groups dialog box.
7. On the Britta Simon Properties window, click Apply.
8. Click Ok. This will close the Britta Simon Properties dialog box.
9. Repeat these steps for all of the accounts listed in the Account Summary table,
substituting the appropriate Member of value.
10. Close Active Directory Users and Computers.
Step 5 - Install FCI on Windows Server 2008 R2
This step explains how to install FCI on Windows Server® 2008 R2
1. Log on to the FCI.fabrikam.com Server as Administrator.
2. Click Start, select Administrative Tools, and click Server Manager.
To add test user accounts to test groups
To install File Classification Infrastructure
14
3. On the left, right-click Roles and select Add Roles. This will bring up the Add Roles
Wizard.
4. On the Before you Begin screen, click Next.
5. On the Select Server Roles screen, click the box next to File Services and click Next.
6. On the File Services screen, click Next.
7. On the Select Role Services screen, click the box next to File Server Resource
Manager and click Next.
8. On the Configure Storage Usage Monitoring screen, click Next.
9. On the Confirm Installation Selections screen, click Install.
10. On the Installation Results screen, verify the installation was successful and click
Close.
11. Close Server Manager.
Step 6 - Install AD RMS Bulk Protection Tool
This step explains how to instal the AD RMS Bulk Protection Tool.
1. Log on to the FCI.fabrikam.com Server as Administrator.
2. Navigate to where you downloaded the tool and double-click rmsbulk.msi. This will
bring up the Rights Management Services Bulk Protection Tool Setup wizard.
3. On the Welcome to the Rights Management Services Bulk Protection Tool Setup
Wizard screen, click Next.
4. On the End-User License Agreement screen, read the EULA, click I accept the terms
in the License Agreement and click Next.
5. On the Destination Folder screen, click the Change button and navigate to C:\
Windows\SysWOW64 and click OK. Verify the path is now SysWOW64 and click Next.
6. On the Ready to install Rights Management Services Bulk Protection Tool screen,
click Install.
7. On the Completed the Rights Management Services Bulk Protection Tool Setup
Wizard screen, click Finish.
To install the AD RMS Bulk Protection Tool
15
Step 7 - Create ADRMSPublic Shared Folder
This step explains how to create the ADRMSPublic shared folder. This shared folder will be used
to store our AD RMS rights policy templates.
1. Log on to ADRMS.fabrikam.com as Administrator
2. Click Start, click Computer, and then double-click Local Disk (C:).
3. Click File, point to New, and then click Folder.
4. Type ADRMSPublic for the new folder, and then press ENTER.
5. Right-click ADRMSPublic, and then click Share.
6. On the File Sharing window, in the box under Type the name of the person you want
to share with and click Add… enter Everyone and click Add. The Everyone group
should now appear in the box below. The Permission Level should be Reader.
7. On the File Sharing window, in the box under Type the name of the person you want
to share with and click Add… enter ADRMS Service and click Add. The Everyone
group should now appear in the box below. The Permission Level should be
Contributor.
Important
If you have setup AD RMS with a different service account name, use that
account in the step above.
8. Click Share. The window should change and you should now see Your folder is
shared.
9. Click Done.
Step 8 - Create Fabrikam Confidential Rights Policy Template
This step explains how to create the Fabrikam Confidential Rights Policy Template. This template
will be the minimum rights protection placed on all content within Fabrikam’s organization.
1. Log on to ADRMS.fabrikam.com as Administrator.
2. Open the Active Directory Rights Management Services Administration console. Click
Start, point to Administrative Tools, and then click Active Directory Rights
Management Services.
To create the ADRMSPublic Shared Folder
To create the Fabrikam Confidential Rights Policy Template
16
3. If the User Account Control dialog box appears, confirm that the action it displays is
what you want, and then click Continue.
4. In the Active Directory Rights Management Services Administration console, expand the
cluster name.
5. Click Rights Policy Templates and ensure that Distributed Rights Policy Templates
information appears in the center pane. On the right, in the Actions pane, click
Properties. This will bring up the Rights Policy Templates Properties dialog box.
6. On the Rights Policy Templates Properties dialog box, select the Enable export check
box, type \\adrms\ADRMSPublic in the Specify templates file location (UNC) box, and
then click OK.
7. On the right, in the Actions pane, click Create Distributed Rights Policy Template to
start the Create Distributed Rights Policy Template wizard.
8. Click Add.
9. In the Language box, choose the appropriate language for the rights policy template.
10. Type Fabrikam Confidential in the Name box.
11. Type This content is confidential and proprietary information intended for Fabrikam
employees only and provides the following user rights: View, Reply, Reply All,
Save, Edit, and Forward in the Description box, and then click Add.
12. Click Next.
13. Click Add, type [email protected] in The e-mail address of a user or group
box, and then click OK.
14. Select the View, Reply, Reply All, Save, Edit, and Forward check boxes.
15. Click Finish.
Step 9 - Create Fabrikam FTE Confidential Rights Policy Template
This step explains how to create the Fabrikam FTE Confidential Rights Policy Template. This
template will be the rights protection placed on all content that is deemed to have a High
Business Impact within Fabrikam’s organization.
1. Log on to ADRMS.fabrikam.com as Administrator.
2. Open the Active Directory Rights Management Services Administration console. Click
Start, point to Administrative Tools, and then click Active Directory Rights
Management Services.
To create the Fabrikam Confidential Rights Policy Template
17
3. In the Active Directory Rights Management Services Administration console, expand the
cluster adrms.fabrikam.com.
4. Click Rights Policy Templates.
5. On the right, in the Actions pane, click Create Distributed Rights Policy Template to
start the Create Distributed Rights Policy Template wizard.
6. Click Add.
7. In the Language box, choose the appropriate language for the rights policy template.
8. Type Fabrikam FTE Confidential in the Name box.
9. Type This content is confidential and proprietary information intended for Fabrikam
full-time employees only and provides the following user rights: View, Reply, Reply
All, Save, Edit, and Forward in the Description box, and then click Add.
10. Click Next.
11. Click Add, type [email protected] in The e-mail address of a user or group box,
and then click OK.
12. Select the View, Reply, Reply All, Save, Edit, and Forward check boxes.
13. Click Finish.
Step 10 - Add AD RMS Cluster URL to Local Intranet for Local System
This step explains how to add the AD RMS Cluster URL to the local intranet in Internet Explorer
on FCI.fabrikam.com.
1. Log on to CLT1.fabrikam.com as Administrator.
2. Click the Windows Button, and in the Search programs and files box type cmd and hit
enter. This will bring up a command-line interface.
3. From the command-line, navigate to C:\PSTools.
Important
If you have PSTools installed to a different location, navigate to that location
from the command-line.
4. From the PSTools directory type psexec \\FCI –u Administrator –p Pass1word$ -i –s
“C:\Program Files(x86)\Internet Explorer\iexplore.exe” and hit enter.
Important
If your Administrator account is different, use your account for the command-
To add the AD RMS Cluster URL to Local Intranet in Internet Explorer
18
line syntax above.
5. If this brings up the Sysinternals EULA, click accept.
6. Log on to FCI.fabrikam.com as Administrator. There should be an instance of Internet
Explorer running.
7. At the top of Internet Explorer, under Tools, click Internet Options.
8. Click the Security tab and select Local intranet from the Select a zone to view or
change security settings box.
9. Click Sites to show a Local intranet window. Click Advanced.
10. In the Add this website to the zone: box, type https://adrms.fabrikam.com. Click
Add.
11. Place a check in Require server verification (https:) for all sites in this zone and click
Close. Click Ok.
12. Click OK to close the Internet Options dialog box.
Important
At this point, you should try and access the following:
https://adrms.fabrikam.com/_wmcs/certification/certification.asmx. Verify that
there are no certificate errors. If so, make sure the CA chain is installed
under Trusted Root Certification Authorities for the local system account.
This can be done by right clicking the error at the top and selecting view
certificates. From there, click certification path and highlight the root
certificate. Click view certificate and then install this one.
13. Close Internet Explorer.
14. Log off FCI.fabrikam.com
15. On CLT1.fabrikam.com, close the command window.
Step 11 - Grant FCI Machine Account Read and Execute Permissions
This step explains how to grant the FCI machine account read and execute permissions to the
ServerCertification.asmx page. This is required because it allows the AD RMS Bulk Protection
Tool to run under the local system account on the FCI server.
1. Log on to ADRMS.fabrikam.com Server as Administrator
2. Click Start, select Computer, double-click Local Disk (C:), double-click inetpub,
To add the Read & Execute permissions for the FCI machine account on ServerCertification.asmx
19
double-click wwwroot, double-click _wmcs, double-click certification, right-click
ServerCertification.asmx and select Properties. This will bring up the
ServerCertification.asmx Properties.
3. On the ServerCertification.asmx properties, select the Security tab, and then click
Edit. This will bring up the Permissions for ServerCertification.asmx.
4. On the Permissions for ServerCertification.asmx screen, click Add. This will bring up
the Select Users, Computers, or Groups screen.
5. On the Select Users, Computers, or Groups screen, to the right, click the Object
Types… button. This will bring up the Object Types screen.
6. On the Object Types screen, place a check in Computers and click Ok. This will close
the Object Types screen.
7. On the Select Users, Computers, or Groups screen, under Enter the object names to
select, enter fabrikam\FCI and click Check Names. This should resolve with an
underline. Click Ok.
8. On the Permissions for ServerCertification.asmx screen, select the newly added
fabrikam\FCI$ and verify it has a check in Read & execute. Click Apply Click Ok. This
will close the Permissions for ServerCertification.asmx screen.
9. On the ServerCertification.asmx properties, click Ok. This will close the
ServerCertification.asmx properties.
Step 12 - Grant AD RMS Service Group Read and Execute Permissions
This step explains how to grant the AD RMS Service Group read and execute permissions to the
ServerCertification.asmx page. This is required because it allows the AD RMS Bulk Protection
Tool to run under the local system account on the FCI server.
1. Log on to ADRMS.fabrikam.com Server as Administrator
2. Click Start, select Computer, double-click Local Disk (C:), double-click inetpub,
double-click wwwroot, double-click _wmcs, double-click certification, right-click
ServerCertification.asmx and select Properties. This will bring up the
ServerCertification.asmx Properties.
3. On the ServerCertification.asmx properties, select the Security tab, select New, and
click Edit. This will bring up the Permissions for ServerCertification.asmx.
4. On the Permissions for ServerCertification.asmx screen, click Add. This will bring up
To add the Read & Execute permissions for AD RMS Service Group on ServerCertification.asmx
20
the Select Users, Computers, or Groups screen.
5. On the Select Users, Computers, or Groups screen, under Enter the object names to
select, enter ADRMS\AD RMS Service Group and click Check Names. This should
resolve with an underline. Click Ok.
6. On the Permissions for ServerCertification.asmx screen, select the newly added AD
RMS Service Group and verify it has a check in Read & execute. Click Apply Click Ok.
This will close the Permissions for ServerCertification.asmx screen.
7. On the ServerCertification.asmx properties, click Ok. This will close the
ServerCertification.asmx properties.
8. Restart the ADRMS.fabrikam.com server.
Step 13 - Create FabrikamDocuments Shared Folder
This step explains how to create the FabrikamDocuments shared folder. This is the folder that
will store all of the content Fabrikam wishes to rights protect.
1. Log on to FCI.fabrikam.com as Administrator
2. Click Start, click Computer, and then double-click Local Disk (C:).
3. Click File, point to New, and then click Folder.
4. Type FabrikamDocuments for the new folder, and then press ENTER.
5. Right-click FabrikamDocuments, click Share with, and then click Specific people.
6. On the File Sharing window, in the box under Type a name and then click Add, or
click the arrow to find someone select Everyone, then and click Add. The Everyone
group should now appear in the box below. Under Permission Level, select
Read/Write.
7. Click Share. The window should change and you should now see Your folder is
shared.
8. Click Done.
To create the FabrikamDocuments Shared Folder
21
Step 14 - Grant FCI Server Send As Rights
This step explains how to grant the FCI machine account the Send As right on the Administrator
account. This will allow the FCI machine to send e-mail notifications as the Administrator when
documents are rights protected.
1. Log on to the EX.corp.fabrikam.com Server as Administrator.
2. Click Start, select Administrative Tools, and click Active Directory Users and
Computers.
3. At the top, select View and then select Advanced Features from the drop-down.
4. On the left, expand fabrikam.com click the Users organizational unit. On the right, right-
click Administrator and then select Properties. This will bring up the Administrator
Properties window.
5. On the Administrator Properties screen, select the Security tab and click Add. This
will bring up the Select Users, Computers, or Groups screen.
6. On the Select Users, Computers, or Groups screen, to the right, click the Object
Types… button. This will bring up the Object Types screen.
7. On the Object Types screen, place a check in Computers and click Ok. This will close
the Object Types screen.
8. On the Select Users, Computers, or Groups screen, under Enter the object names to
select, enter fabrikam\FCI and click Check Names. This should resolve with an
underline. Click Ok.
9. Under Groups or user names: make sure FCI (FABRIKAM\FCI$) is select.
10. On the Permissions for FCI locate Send As and select Allow. Click Apply Click Ok.
This will close the Administrators Properties screen.
11. Close Active Directory Users and Computers.
Step 15 - Configure FCI for E-mail Notification
This step explains how to add e-mail configuration options to the File Classification Infrastructure.
This will allow for email notifications when documents are rights protected. We will be using our
Exchange 2007 Server for this purpose.
1. Log on to FCI.fabrikam.com as Administrator
To grant the FCI Machine Account Send As Rights
To setup FCI for e-mail notification
22
2. Click Start, click Administrative Tools, and click File Server Resource Manager.
3. In the File Server Resource Manager, on the right, under Actions, click Configure
Options. This will bring up the File Server Resource Manager Options.
4. Under SMTP server name or IP address, enter EX.fabrikam.com.
5. Under Default administrator recipients, enter [email protected].
6. Under Default “From” e-mail address, enter [email protected].
7. Click OK.
Important
You can test this by using the Send Test E-mail button that is provided on the
File Server Resource Manager Options page.
Step 16 - Change Timeout on Certification Path Validation Settings
This step explains how to change the default path validation cumulative retrieval timeout from 20
seconds to 2 seconds. This is required because the servers do not have access to the internet.
If this gpo setting is not changed then the AD RMS Bulk Protection Tool will fail when attempting
to activate the FCI server. This is only required because the server does not have internet
access.
1. Log on to the DC.corp.fabrikam.com Server as Administrator.
2. Click Start, select Administrative Tools, and click Group Policy Management.
3. Expand Forest: fabrikam.com, expand Domains, expand fabrikam.com, right-click
Default Domain Policy, and then select edit. This will bring up the Group Policy
Management Editor.
4. On the left, expand Computer Configuration, expand Windows Settings, expand
Security Settings, and click Public Key Policies.
5. On the right, right-click Certificate Path Validation Settings and click Properties. This
will bring up the Certificate Path Validation Settings Properties.
6. On the Certificate Path Validation Settings screen, click the Network Retrieval tab.
7. On the Network Retrieval screen, place a check in Define these policy settings and in
the middle, change Default path validation cumulative retrieval timeout (in seconds)
to 2.
8. Click Apply and Ok. This will close the Certificate Path Validation Settings.
9. Close Group Policy Management.
To change the Default Path Validation Cumulative Retrieval Timeout
23
1. Log on to the FCI.fabrikam.com Server as Administrator
2. Click Start, and click Command Prompt. This will open a command prompt window.
3. From the command prompt, type gpupdate /force and hit Enter. Once this is complete
is should say that the user and computer policies were updated successfully.
4. Close the Command Prompt.
Step 17 - Create Business Impact Classification Property
This step explains how to create the Business Impact Classification Property. Classification
properties are used to assign values to files. There are many property types that you can choose
from, and you can define them based on the policies your organization wants to enforce. This will
be an ordered list property. A value of High will indicate that the document has a high business
impact, while a value of Low will represent a low business impact.
1. Log on to FCI.fabrikam.com as Administrator
2. Click Start, click Administrative Tools, and click File Server Resource Manager.
3. In the File Server Resource Manager, on the left, expand Classification Management,
and right-click Classification Properties, and select Create Property. This will bring up
the Create Classification Property Definition window.
4. Under Property name, enter Business Impact.
5. Under Description, enter Describes the impact to the business if this file were to be
disclosed to the public. Valid values are High and Low..
6. Under Property type, enter Ordered List.
7. Down under Value enter High. This will add a row below the value we just entered.
8. Under the High value we just added, enter Low.
9. Click OK.
Refresh the policy on the FCI server
To create the Business Impact Classification Property
24
Step 18 - Create dateEncrypted Classification Property
This step explains how to create the dateEncrypted Classification Property. It allows for tracking
which files have already been encrypted and do not need to be encrypted again. This will be a
Date-Time property. It will indicate when the file was last encrypted.
1. Log on to FCI.fabrikam.com as Administrator
2. Click Start, click Administrative Tools, and click File Server Resource Manager.
3. In the File Server Resource Manager, on the left, expand Classification Management,
and right-click Classification Properties, and select Create Property. This will bring up
the Create Classification Property Definition window.
4. Under Property name, enter dateEncrypted.
5. Under Description, enter When this document was encrypted..
6. Under Property type, enter Date-Time.
7. Click OK.
Step 19 - Create LBI Classification Rule
This step explains how to create the LBI Classification Rule. This rule will classify all of our
documents with an LBI property value. Later the HBI Classification Rule will override these LBI
values if the documents match the criteria in the HBI Classification rule.
1. Log on to FCI.fabrikam.com as Administrator
2. Click Start, click Administrative Tools, and click File Server Resource Manager.
3. In the File Server Resource Manager, on the left, expand Classification Management,
and right-click Classification Rules, and select Create a New Rule. This will bring up
the Classification Rule Definitions window.
4. Under Rule name:, enter Low Business Impact.
5. Under Description, enter Classify all documents with low business impact by
default.
6. Under Scope, click Add and browse to FabrikamDocuments. Click OK
7. At the top, click the Classification tab.
8. Under Choose a method to assign the property value, select Folder Classifier from
To create the dateEncrypted Property
To create the LBI Classification Rule
25
the drop-down.
9. Under Choose a property value to be assigned, select Business Impact
Classification Property from the drop-down.
10. Under Property value to be assigned, select Low from the drop-down.
11. Click OK.
Step 20 - Create HBI Classification Rule
This step explains how to create the HBI Classification Rule. This rule will search the content of
documents and if the string “Intellectual Property” is found, it will classify this document as having
high business impact. This classification will override any previously assigned classification as
low business impact.
1. Log on to FCI.fabrikam.com as Administrator
2. Click Start, click Administrative Tools, and click File Server Resource Manager.
3. In the File Server Resource Manager, on the left, expand Classification Management,
and right-click Classification Rules, and select Create a New Rule. This will bring up
the Classification Rule Definitions window.
4. Under Rule name:, enter High Business Impact.
5. Under Description, enter Determines if the document has a high business impact
based on the presence of the string “Intellectual Property”.
6. Under Scope, click Add and browse to FabrikamDocuments. Click OK
7. At the top, click the Classification tab.
8. Under Choose a method to assign the property value, select Content Classifier from
the drop-down.
9. Under Choose a property value to be assigned, select Business Impact
Classification Property from the drop-down.
10. Under Property value to be assigned, select High from the drop-down.
11. Click Advanced. This will bring up the Additional Rule Parameters.
12. On the Evaluation Type, place a check in the Re-evaluate existing property values
box and select Aggregate the values.
13. At the top, click the Additional Classification Parameters tab.
14. Under the box that says Name, enter String. Under the box that says Value, enter
Intellectual Property.
15. Click OK. Click OK.
To create the HBI Classification Rule
26
Step 21 - Restrict Files to Fabrikam Employees
This step explains how to create a file management task to restrict access of low business impact
files to Fabrikam employees. This task will apply the Fabrikam Confidential rights policy template
to all of the documents that have been classified with a Low property and that have not already
been encrypted. The original owner of the file will retain full control of the AD RMS protection,
unless the owner is not registered in Active Directory. In that case, the Administrator will gain full
control of the AD RMS protection on the file. It will also send an e-mail message to the owner of
each file when it is encrypted.
1. Log on to FCI.fabrikam.com as Administrator
2. Copy the script from Appendix A into notepad and save it as c:\windows\system32\
MarkLBIandProtect.ps1.
3. Click Start, click Administrative Tools, and click File Server Resource Manager.
4. In the File Server Resource Manager, on the left, right-click File Management Tasks,
and select Create File Management Task. This will bring up the Create File
Management Task window.
5. Under Task name:, enter Restrict files to employees of Fabrikam.
6. Under Description, enter Apply Fabrikam Confidential rights policy.
7. Under Scope, click Add and browse to FabrikamDocuments. Click OK
8. At the top, click the Action tab.
9. Under Type, select Custom from the drop-down.
10. Under Executable, select Browse and navigate to c:\windows\system32\
WindowsPowerShell\v1.0\powershell.exe.
11. Under Arguments, enter -File c:\windows\system32\MarkLBIandProtect.ps1
[Source File Path] [Source File Owner Email] [email protected].
12. Under Run the command as:, select Local System.
13. At the top, click the Condition tab.
14. Click Add. This will bring up the Property Condition window.
15. On the Property Condition window, make sure Property: is set to Business Impact,
set the Operator: to Equals, and for the Value: select Low from the drop-down. Click
Ok.
16. Click Add. This will bring up the Property Condition window.
17. On the Property Condition window, make sure Property: is set to dateEncrypted, and
To create the file management task to restrict files to employees of Fabrikam
27
select not exist for the condition. Click OK.
18. At the top, click the Notification tab.
19. Click Add. This will bring up the Add Notification window.
20. Set the Number of days before the task is executed to send notification to 0.
21. Check Send e-mail to the following administrators:
22. In the box, enter [email protected].
23. Check Send e-mail to the user whose files are about to expire.
24. Under Subject: enter File encrypted.
25. Click OK.
26. At the top, click the Schedule tab.
27. On the Schedule tab, click Create. This will bring up the Schedule window.
28. On the Schedule window, click New.
29. Except the defaults and click Ok. This will close the Schedule window.
30. Click OK. This will close the Create File Management Task window.
After the installation of PowerShell, the execution of scripts is disabled by default.
You must enable your system to run the scripts. This can be done by using the following
command: Set-Executionpolicy Unrestricted.
Alternatively, the execution policy can be set to signed and the script can be signed. For
more information about this topic, please see Running Windows PowerShell Scripts
(http://go.microsoft.com/fwlink/?LinkID=119588).
Step 22 - Restrict Files to Full-Time Fabrikam Employees
This step explains how to create a file management task to restrict access of high business
impact files to full-time Fabrikam employees. This task will apply the Fabrikam FTE Confidential
rights policy template to all of the documents that have been classified with a High property. The
original owner of the file will retain full control of the AD RMS protection, unless the owner is not
registered in Active Directory. In that case, the Administrator will gain full control of the AD RMS
protection on the file. It will also send an e-mail to the owner of the document when the template
is applied to the document.
1. Log on to FCI.fabrikam.com as Administrator
2. Copy the script from Appendix B into notepad and save it as c:\windows\system32\
MarkHBIandProtect.ps1.
Important
To create the file management task to restrict files to full-time Fabrikam employees
28
3. Click Start, click Administrative Tools, and click File Server Resource Manager.
4. In the File Server Resource Manager, on the left, right-click File Management Tasks,
and select Create File Management Task. This will bring up the Create File
Management Task window.
5. Under Task name:, enter Restrict HBI files to full-time Fabrikam employees.
6. Under Description, enter Apply Fabrikam FTE Confidential rights policy.
7. Under Scope, click Add and browse to FabrikamDocuments. Click OK
8. At the top, click the Action tab.
9. Under Type, select Custom from the drop-down.
10. Under Executable, select Browse and navigate to c:\windows\system32\
WindowsPowerShell\v1.0\powershell.exe.
11. Under Arguments, enter -File c:\windows\system32\markHBIandprotect.ps1
[Source File Path].
12. Under Run the command as:, select Local System.
13. At the top, click the Condition tab.
14. Click Add. This will bring up the Property Condition window.
15. On the Property Condition window, make sure Property: is set to Business Impact,
set the Operator: to Equals, and for the Value: select High from the drop-down. Click
Ok.
16. Click Add. This will bring up the Property Condition window.
17. On the Property Condition window, make sure Property: is set to dateEncrypted,
select not exist for the condition, and then click OK.
18. At the top, click the Notification tab.
19. Click Add. This will bring up the Add Notification window.
20. Set the Number of days before the task is executed to send notification to 0.
21. Check Send e-mail to the following administrators:
22. In the box, enter [email protected].
23. Check Send e-mail to the user whose files are about toexpire.
24. Change the text in the Subject and Message body boxes to indicate that the file was
encrypted.
25. Click OK.
26. At the top, click the Schedule tab.
27. On the Schedule tab, click Create. This will bring up the Schedule window.
28. On the Schedule window, click New.
29. Except the defaults and click Ok. This will close the Schedule window.
30. Click OK. This will close the Create File Management Task window.
29
Testing the Implementation
The following sections explain how to test and verify that the AD RMS Bulk Protection Tool and
FCI are working together and classifying and protecting content accordingly.
This section is comprised of the following steps:
1. Step 1 - Create an Intellectual Property Word document
2. Step 2 – Create a General Word document
3. Step 3 – Run File Server Resource Manager Classification Rules
4. Step 4 – Run File Management Tasks
5. Step 5 – Consume documents as Britta Simon
6. Step 6 – Consume documents as Lola Jacobson
Step 1 - Create an Intellectual Property Word Document
This section explains how to create a Word document that contains the phrase “Intellectual
Property.”
1. Log on to the CLT1.fabrikam.com as Administrator.
2. Click Start, select All Programs, click Microsoft Office, and select Microsoft Office
Word 2007. This will bring up Word 2007 with a blank document.
3. On the blank document type the words Intellectual Property.
4. At the top, click the Office button and select Save As from the drop-down.
5. At the top, remove Libraries -> Documents from the location and enter \\
FCI.fabrikam.com\FabrikamDocuments.
6. Under File Name:, enter Spec.
7. Click Save.
8. Close Word.
Step 2 - Create a General Word Document
This section explains how to create a general Word document. This document will have the LBI
policy applied to it.
To create an Intellectual Property Word Document
30
1. Log on to the CLT1.fabrikam.com as Administrator.
2. Click Start, select All Programs, click Microsoft Office, and select Microsoft Office
Word 2007. This will bring up Word 2007 with a blank document.
3. On the blank document type the words Meeting notes.
4. At the top, click the Office button and select Save As from the drop-down.
5. At the top, remove Libraries -> Documents from the location and enter \\
FCI.fabrikam.com\FabrikamDocuments.
6. Under File Name:, enter Notes.
7. Click Save.
8. Close Word.
Step 3 - Run File Server Resource Manager Classification Rules
This step explains how to manually run the classification rules. This is only being done for testing
purposes. These can be automated so that they do not have to be run manually.
1. Log on to FCI.fabrikam.com as Administrator
2. Click Start, select Administrative Tools, and select File Server Resource Manager.
3. In the File Server Resource Manager, on the left, expand Classification Management,
and right-click Classification Rules, and select Run Classification With All Rules
Now. This will bring up the Run Classification window.
4. Under How do you want to proceed?, select Wait for classification to complete
execution. Click Ok.
5. Once classification finishes, examine the report. The spec.doc should be classified as
High and the notes.doc should be classified as low.
6. Close the report.
7. Close File Server Resource Manager.
To create a general Word document
To run the File Server Resource Manager Classification Rules
31
Step 4 - Run File Management Tasks
This step explains how to manually run the File Management Tasks. These tasks will now apply
the rights policy templates to our documents based on the properties that were set in the previous
step. This is only being done for testing purposes. These can be automated so that they do not
have to be run manually.
1. Log on to FCI.fabrikam.com as Administrator
2. Click Start, select Administrative Tools, and select File Server Resource Manager.
3. In the File Server Resource Manager, click File Management Tasks. Our File
Management Tasks should appear in the center of the File Server Resource Manager.
4. Right-click Fabrikam Confidential File Management Task, and select Run File
Management Task Now. This will bring up the Run File Management Task window.
5. Under How do you want to proceed?, select Wait for task to complete execution.
Click Ok.
6. Once the File Management Task has completed, examine the report.
7. Close the report.
8. Right-click Fabrikam FTE Confidential File Management Task, and select Run File
Management Task Now. This will bring up the Run File Management Task window.
9. Under How do you want to proceed?, select Wait for task to complete execution.
Click Ok.
10. Once the File Management Task has completed, examine the report.
11. Close the report.
12. Close File Server Resource Manager.
Step 5 - Consume Documents As Britta Simon
In this step we will be attempting to open the documents that we just rights protected in the
previous step. In this step, we will log on as Britta Simon, a Fabrikam full-time employee. She
should be able to open both documents.
Consume Documents as Britta SimonThe following steps show how to consume the documents as Britta Simon.
To run the File Management Tasks
32
1. Log on to CLT1.fabrikam.com as fabrikam\bsimon
2. Click the Windows button.
3. In the search box, type \\FCI.fabrikam.com\FabrikamDocuments. This will open the
FabrikamDocuments share.
4. Double-click notes.doc.
5. When prompted for credentials, for User name: enter bsimon. For Password, enter
Pass1word$. This will start the process of configuring AD RMS for Britta Simon.
6. Once this completes, you should see a pop-up window that says Permissions to this
document is currently restricted. Microsoft Office must connect to
http://adrms.fabrikam.com/_wmcs/licensing to verify your credentials and
download your permissions. Click OK.
7. Once this completes, you should be able to view notes.doc. Close notes.doc
8. Double-click spec.doc.
9. When prompted for credentials, for User name: enter bsimon. For Password, enter
Pass1word$.
10. You should see a pop-up window that says Permissions to this document is currently
restricted. Microsoft Office must connect to
http://adrms.fabrikam.com/_wmcs/licensing to verify your credentials and
download your permissions. Click OK.
11. Once this completes, you should be able to view spec.doc. Close spec.doc
Step 6 - Consume Documents As Lola Jacobson
In this step we will be attempting to open the documents as Lola Jacobson, a contractor. Lola
should be able to access the notes.doc file but should not be allowed to access the spec.doc file.
Consume Documents as Lola JacobsonThe following steps show how to consume the documents as Lola Jacobson.
1. Log on to CLT2.fabrikam.com as fabrikam\ljacobson
2. Click the Windows button.
3. In the search box, type \\FCI.fabrikam.com\FabrikamDocuments. This will open the
To consume documents as Britta Simon
To consume documents as Lola Jacobson
33
FabrikamDocuments share.
4. Double-click notes.doc.
5. When prompted for credentials, for User name: enter ljacobson. For Password, enter
Pass1word$. This will start the process of configuring AD RMS for Britta Simon.
6. Once this completes, you should see a pop-up window that says Permissions to this
document is currently restricted. Microsoft Office must connect to
http://adrms.fabrikam.com/_wmcs/licensing to verify your credentials and
download your permissions. Click OK.
7. Once this completes, you should be able to view notes.doc. Close notes.doc
8. Double-click spec.doc.
9. When prompted for credentials, for User name: enter ljacobson. For Password, enter
Pass1word$.
10. You should see a pop-up window that says Permissions to this document is currently
restricted. Microsoft Office must connect to
http://adrms.fabrikam.com/_wmcs/licensing to verify your credentials and
download your permissions. Click OK.
11. Once this completes, you should see a pop-up window that says You do not have
credentials that allow you to open this document. Do you want to open it using a
different set of credentials? Click No. At this point, you should not have any open
document in Word. Close Word.
Step 7 - Check Administrator's Email
This section explains how to create check the Administrator’s e-mail. This is done to verify that
the FCI server has sent us notification.
1. Log on to the CLT1.fabrikam.com as Administrator.
2. Click Start, select All Programs, click Microsoft Office, and select Microsoft Office
Outlook 2007. This will bring up Outlook 2007.
3. Verify that the FCI server has sent the Administrator e-mail.
To verify the Administrator’s E-mail
34
Appendix A - MarkLBIandProtect Windows Powershell Script
The following Windows Powershell script is used to create the file management task to restrict
files to employees.
# execute bulk tool
$encryptfile = '"' + $args[0] + '"'
$owneremail = $args[1]
if ($owneremail -eq "[Source")
{
$owneremail = $args[5]
}
$r = start-process –Wait –PassThru –FilePath C:\Windows\SysWOW64\RmsBulk.exe –ArgumentList
“/encrypt”, $encryptfile, “\\adrms.fabrikam.com\ADRMSPublic\Fabrikam_Confidential.xml”,
$owneremail, “/log”, “C:\FabrikamDocuments\RmsLog.log”, “/append”, “/preserveattributes”
if ($r.ExitCode –eq 0)
{
$c = new-object –com Fsrm.FsrmClassificationManager
$d = (get-date).toFileTimeUTC()
$d = $d - ($d % 10000000)
$c.SetFileProperty($args[0], “dateEncrypted”, $d.ToString())
}
35
Appendix B - MarkHBIandProtect Windows PowerShell Script
The following Windows Powershell script is used to create the file management task to restrict
files to only full-time employees.
# execute bulk tool
$encryptfile = '"' + $args[0] + '"'
$owneremail = $args[1]
if ($owneremail -eq "[Source")
{
$owneremail = $args[5]
}
$r = start-process –Wait –PassThru –FilePath C:\Windows\SysWOW64\RmsBulk.exe –ArgumentList
“/encrypt”, $encryptfile, “\\adrms.fabrikam.com\ADRMSPublic\
Fabrikam_FTE_Confidential.xml”, $owneremail, “/log”, “C:\FabrikamDocuments\RmsLog.log”,
“/append”, “/preserveattributes”
if ($r.ExitCode –eq 0)
{
$c = new-object –com Fsrm.FsrmClassificationManager
$d = (get-date).toFileTimeUTC()
$d = $d - ($d % 10000000)
$c.SetFileProperty($args[0], “dateEncrypted”, $d.ToString())
}
36
Appendix C - Using a Regular Expression with FCI
The following is an example of creating a FCI Classification Rule using a Regular Expression. A
regular expression is a pattern of text that consists of ordinary characters (for example, letters a
through z) and special characters, known as metacharacters. The pattern describes one or more
strings to match when searching text. The example below shows how to use a regular
expression to look for social security type number. It searches for 3 digits followed by a hyphen,
then 2 digits followed by a hyphen and finally 4 digits (ddd-dd-dddd). If any such expression is
found in a document it will be classified as having a high business impact
1. Log on to FCI.fabrikam.com as Administrator
2. Click Start, click Administrative Tools, and click File Server Resource Manager.
3. In the File Server Resource Manager, on the left, expand Classification Management,
and right-click Classification Rules, and select Create a New Rule. This will bring up
the Classification Rule Definitions window.
4. Under Rule name:, enter Social Security Rule.
5. Under Description, enter Determines if the document contains a social security type
number.
6. Under Scope, click Add and browse to FabrikamDocuments. Click OK
7. At the top, click the Classification tab.
8. Under Choose a method to assign the property value, select Content Classifier from
the drop-down.
9. Under Choose a property value to be assigned, select Business Impact
Classification Property from the drop-down.
10. Under Property value to be assigned, select High from the drop-down.
11. Click Advanced. This will bring up the Additional Rule Parameters.
12. On the Evaluation Type, place a check in the Re-evaluate existing property values
box and select Aggregate the values.
13. At the top, click the Additional Classification Parameters tab.
14. Under the box that says Name, enter RegularExpression. Under the box that says
Value, enter \d{3}-\d{2}-\d{4}.
15. Click OK. Click OK.
To test this, create a world document with the following number 111-22-3333 in it. Save it to c:\
FabrikamDocuments share and then run the classification rule steps and file management tasks.
To create the Regular Expresssion Classification Rule
37
For more information about using Regular Expressions with FCI see, Classifying files based on
location and content using the File Classification Infrastructure (FCI) in Windows Server 2008 R2
(http://go.microsoft.com/fwlink/?LinkId=180326).
For more information about Regular Expressions syntax see, Regular Expression Syntax
(http://go.microsoft.com/fwlink/?LinkId=180327).
38