microsoft windows server 2008 r2 - ad rms bulk protection tool and file classification...

AD RMS Bulk Protection Tool and File Classification Infrastructure – Step-by-Step

Microsoft Corporation

Published: January 2010

Author: Bill Mathers

Editor: John Andrilla

Acknowledgements

Special thanks to the following people for reviewing and providing invaluable feedback for this

document:

Clinton Ho, Microsoft Corporation.

Matthias Wollnik, Microsoft Corporation.

Saket Kataruka, Microsoft Corporation.

Jason Tyler, Microsoft Corporation.

.

AbstractThis document will assist architects, consultants, system engineers, and system administrators in

deploying the AD RMS Bulk Protection Tool in conjunction with Windows Server 2008 R2 File

Classification Infrastructure.

Copyright

The information contained in this document represents the current view of Microsoft Corporation

on the issues discussed as of the date of publication. Because Microsoft must respond to

changing market conditions, it should not be interpreted to be a commitment on the part of

Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the

date of publication.

This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,

EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the

rights under copyright, no part of this document may be reproduced, stored in or introduced into a

retrieval system, or transmitted in any form or by any means (electronic, mechanical,

photocopying, recording, or otherwise), or for any purpose, without the express written permission

of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual

property rights covering subject matter in this document. Except as expressly provided in any

written license agreement from Microsoft, the furnishing of this document does not give you any

license to these patents, trademarks, copyrights, or other intellectual property.

Unless otherwise noted, the example companies, organizations, products, domain names, e-mail

addresses, logos, people, places and events depicted herein are fictitious, and no association

with any real company, organization, product, domain name, e-mail address, logo, person, place

or event is intended or should be inferred.

© 2009 Microsoft Corporation. All rights reserved.

Active Directory, Microsoft, MS-DOS, Visual Studio, Windows, and Windows NT are either

registered trademarks or trademarks of Microsoft Corporation in the United States and/or other

countries.

The names of actual companies and products mentioned herein may be the trademarks of their

respective owners.

Contents

AD RMS Bulk Protection Tool and FCI Step-by-Step......................................................................5

About this Guide.......................................................................................................................... 5

What This Guide Does Not Provide.........................................................................................5

Requirements for this Document....................................................................................................6

The Scenario.................................................................................................................................. 7

Scenario description.................................................................................................................... 7

The testing environment...........................................................................................................7

Required Groups...................................................................................................................... 8

Required accounts................................................................................................................... 9

Implementing the Procedures in this Document.............................................................................9

Step 1 - Create FabrikamUsers Organizational Unit.....................................................................10

Step 2 - Create Test Users............................................................................................................10

Step 3 - Create Test Groups.........................................................................................................12

Step 4 - Add Users to Groups.......................................................................................................14

Step 5 - Install FCI on Windows Server 2008 R2..........................................................................14

Step 6 - Install AD RMS Bulk Protection Tool................................................................................15

Step 7 - Create ADRMSPublic Shared Folder..............................................................................16

Step 8 - Create Fabrikam Confidential Rights Policy Template.....................................................16

Step 9 - Create Fabrikam FTE Confidential Rights Policy Template.............................................17

Step 10 - Add AD RMS Cluster URL to Local Intranet for Local System.......................................18

Step 11 - Grant FCI Machine Account Read and Execute Permissions........................................19

Step 12 - Grant AD RMS Service Group Read and Execute Permissions....................................20

Step 13 - Create FabrikamDocuments Shared Folder..................................................................21

Step 14 - Grant FCI Server Send As Rights..................................................................................22

Step 15 - Configure FCI for E-mail Notification.............................................................................22

Step 16 - Change Timeout on Certification Path Validation Settings.............................................23

Step 17 - Create Business Impact Classification Property............................................................24

Step 18 - Create dateEncrypted Classification Property...............................................................25

Step 19 - Create LBI Classification Rule.......................................................................................25

Step 20 - Create HBI Classification Rule......................................................................................26

Step 21 - Restrict Files to Fabrikam Employees...........................................................................27

Step 22 - Restrict Files to Full-Time Fabrikam Employees...........................................................28

Testing the Implementation...........................................................................................................30

Step 1 - Create an Intellectual Property Word Document.............................................................30

Step 2 - Create a General Word Document..................................................................................31

Step 3 - Run File Server Resource Manager Classification Rules................................................31

Step 4 - Run File Management Tasks...........................................................................................32

Step 5 - Consume Documents As Britta Simon............................................................................32

Consume Documents as Britta Simon.......................................................................................33

Step 6 - Consume Documents As Lola Jacobson.........................................................................33

Consume Documents as Lola Jacobson...................................................................................33

Step 7 - Check Administrator's Email............................................................................................34

Appendix A - MarkLBIandProtect Windows Powershell Script......................................................35

Appendix B - MarkHBIandProtect Windows PowerShell Script....................................................36

Appendix C - Using a Regular Expression with FCI......................................................................37

AD RMS Bulk Protection Tool and FCI Step-by-Step

About this GuideThis step-by-step guide walks you through the process of configuring the AD RMS Bulk

Protection Tool and FCI in a test environment. Windows Server 2008 R2 File Classification

Infrastructure provides a built-in solution for file classification allowing administrators to automate

manual processes with predefined policies based on the data’s business value..

In this guide, the AD RMS Bulk Protection Tool will be used in conjunction with FCI to apply AD

RMS rights policies based on the classifications that are determined by FCI.

As you complete the steps in this guide, you will:

Install File Classification Infrastructure on Windows Server 2008 R2

Install and Configure the AD RMS Bulk Protection Tool

Configure FCI to use the AD RMS Bulk Protection Tool to apply policies based on business

impact.

Verify the policies have been applied successfully.

What This Guide Does Not ProvideThis guide does not provide the following:

Guidance for setting up and configuring Active Directory Domain Service in either a

production or test environment. This guide assumes that Active Directory Domain Services is

already configured in the test environment. For more information about configuring Active

Directory Domain Services see, AD DS Installation and Removal Step-by-Step Guide

(http://go.microsoft.com/fwlink/?LinkId=154567).

Guidance for setting up and configuring Active Directory Certificate Services in either a

production or test environment. This guide assumes that Active Directory Certificate Services

is already configured and working in the test environment. You must ensure that you have a

valid SSL certificate and the certificate chain is trusted in order for the AD RMS Bulk

Protection tool to automatically bootstrap the machine and the FCI Local System account.

For more information about configuring Active Directory Certificate Services, see the Active

Directory Certificate Services (http://go.microsoft.com/fwlink/?LinkId=179761).

Guidance for setting up and configuring AD RMS in either a production or test environment.

This guide assumes that AD RMS is already configured and working in the test environment.

For more information about configuring AD RMS, see the AD RMS Step-by-Step Guide

(http://go.microsoft.com/fwlink/?LinkID=154256).

5

http://go.microsoft.com/fwlink/?LinkID=154256

http://go.microsoft.com/fwlink/?LinkId=179761


Guidance for setting up and configuring Exchange Server 2007 SP1 in either a production or

test environment. This guide assumes that Exchange 2007 SP1 is already setup and

configured in the test environment. For more information about configuring Exchange Server

2007 SP1, see Microsoft Exchange Server 2007 (http://go.microsoft.com/fwlink/?

LinkId=154564).

Guidance for setting up and configuring Windows Powershell in either a production or test

environment. This guide assumes that Windows Powershell is already setup and configured

in the test environment on the FCI.fabrikam.com server. For more information about

configuring Windows Powershell using Server Manager, see Windows Server 2008 Server

Manager Technical Overview (http://go.microsoft.com/fwlink/?LinkId=178642).

Guidance for installing psexec in either a production or test environment. Psexec is a light-

weight telnet-replacement that lets you execute processes on other systems, complete with

full interactivity for console applications, without having to manually install client software.

This guide assumes that psexec is already setup and configured in the test environment on

the CLT1.fabrikam.com client. For more information about psexec, see PsExec v1.97


Requirements for this Document

The following table will provide a summary of the Microsoft software that was used in this guide.

Software Additional Information

Windows Server® 2008 Enterprise 32-bit

edition

Windows Server® 2008 Enterprise

(http://go.microsoft.com/fwlink/?LinkId=156710)

Windows Server® 2008 R2 Windows Server® 2008 R2


Windows® 7 Enterprise Windows® 7 Enterprise


Active Directory Domain Service Active Directory


Active Directory Certificate Services Active Directory Certificate Services


Active Directory Rights Management Services

(AD RMS)

Active Directory Rights Management Services

(AD RMS) (http://go.microsoft.com/fwlink/?

LinkId=163969)

Microsoft SQL Server 2008 Service Pack 1 –

64-bit edition

Microsoft SQL Server 2008


6













Microsoft Exchange Server 2007 Service Pack

1 – 64-bit

Microsoft Exchange Server 2007


Microsoft Office 2007 with Service Pack 2 Microsoft Office 2007


Microsoft Hyper-V Microsoft Hyper-V

(http://go.microsoft.com/fwlink/?LinkID=156719)

File Classification Infrastructure FCI (http://go.microsoft.com/fwlink/?

LinkId=165668)

Microsoft Windows Powershell 2.0 Windows Powershell 2.0


Internet Information Services (IIS) 7.0 IIS 7.0 (http://go.microsoft.com/fwlink/?

LinkId=160778)

AD RMS Bulk Protection Tool AD RMS Bulk Protection Tool


Sysinternals PsExec PsExec v1.97 (http://go.microsoft.com/fwlink/?

LinkId=179150)

The Scenario

Scenario descriptionFabrikam, a fictitious company, has a number of file servers that store the company’s documents.

These documents may be general documentation or may have a high business impact (HBI). For

example, any document that contains Intellectual Property is deemed, by Fabrikam, to have a

high business impact. Fabrikam wants to ensure that all their documentation has a minimum

amount of protection and that their HBI documentation is restricted to only full time employees.

In order to accomplish this, Fabrikam is exploring using the AD RMS Bulk Protection Tool in

conjunction with File Classification Infrastructure (FCI) available in Windows Server 2008 R2.

Using FCI, Fabrikam will classify all of the documents on their file server based on the content

and then use the AD RM Bulk Protection Tool to apply the appropriate rights policy. Fabrikam has

setup a test environment to evaluate these functions.

The testing environmentThe scenario outlined in this document has been developed and tested on two stand-alone

computers running the 64-bit editions of the Windows Server® 2008 R2 operating system and

7












Hyper-V. The servers have two 3.0 gigahertz (GHz) dual core processors and 8 gigabytes (GB) of

RAM each. Using Hyper-V, the following seven virtual machines were created on the hosts.

Table 1 Virtual Machines and Roles

Computer

Name

Forest Operating System Memory Applications

and Services

IP Address

DC fabrikam.com Windows

Server 2008 x64

SP2

512 Active

Directory,

DNS,

Certificate

Authority

192.168.100.100

EX fabrikam.net Windows

Server 2008 x64

SP2

2048 Exchange

2007, IIS 7.0.

192.168.100.101

ADRMS fabrikam.com Windows

Server® 2008 R2

x64

1024 AD RMS, SQL

Server 2008

SP1, IIS 7.0

192.168.100.102

FCI fabrikam.com Windows

Server® 2008 R2

x64

1024 File

Classification

Infrastructure

192.168.100.103

CLT1 fabrikam.com Windows 7

Enterprise x86

1024 Microsoft

Office

Word 2007

Enterprise

Edition SP2

192.168.100.104

CLT2 fabrikam.com Windows 7

Enterprise x86

1024 192.168.100.105

Hyper-V is not a requirement to complete the steps outlined later. These steps can be

implemented on physical computers as long as they reflect the same roles as the preceding table.

Required GroupsThe following table summarizes the universal groups used in this step-by-step guide.

Table 2 Group Summary

Group Name Group Scope Group Type

All Staff Universal Security

8


All FTE Universal Security

All Contractors Universal Security

Required accountsThe following table summarizes the accounts used in this step-by-step guide.

Table 3 Required Accounts

Account Display

name

Forest Group

Membership

Password Description

bsimon Britta Simon fabrikam.com All FTE Pass1word$ User account.

ljacobson Lola

Jacobson

fabrikam.net All Contractors Pass1word$ User account.

Implementing the Procedures in this Document

The following steps will guide you through setting up the initial environment. This part of the

document will illustrate setting up the AD RMS Bulk Protection Tool and FCI.

This section is comprised of the following steps:

1. Step 1 – Create FabrikamUsers Organizational Unit

2. Step 2 – Create Test Users

3. Step 3 – Create Test Groups

4. Step 4 – Add Users to Groups

5. Step 5 – Install FCI on Windows Server 2008 R2

6. Step 6 – Install the AD RMS Bulk Protection Tool

7. Step 7 – Create ADRMSPublic Shared Folder

8. Step 8 – Create Fabrikam Confidential Rights Policy Template

9. Step 9 – Create Fabrikam FTE Confidential Rights Policy Template

10. Step 10 - Add the AD RMS Cluster URL to Local Intranet

11. Step 11 – Grant FCI Machine Account Read and Execute Permissions

12. Step 12 – Grant AD RMS Service Group Read and Execute Permissions

13. Step 13 – Create FabrikamDocuments Shared Folder

9

14. Step 14 – Grant FCI Server Send As Rights

15. Step 15 – Configure FCI for E-mail Notification

16. Step 16 – Change Timeout on Certification Path Validation Settings

17. Step 17– Create Business Impact Classification Property

18. Step 18 – Create dataEncrypted Classification Rule

19. Step 19 – Create LBI Classification Rule

20. Step 20 – Create HBI Classification Rule

21. Step 21 – Restrict Files to Fabrikam Employees

22. Step 22 – Restrict Files to Full-time Employees

Step 1 - Create FabrikamUsers Organizational Unit

This step explains how to create an organizational unit in fabrikam.com. This organizational unit

will store all of the test users.

1. Log on to DC.fabrikam.com as Administrator

2. Click Start, select Administrative Tools, and click Active Directory Users and

Computers. This will open the Active Directory Users and Computers mmc.

3. In the Active Directory Users and Computers mmc, from the tree-view on the left,

right-click fabrikam.com, select New, and then Organizational Unit.

4. In the Name textbox, type FabrikamUsers. Click OK.

5. Close Active Directory Users and Computers.

Step 2 - Create Test Users

This step explains how to create and mailbox-enable the test users in fabrikam.com. These

accounts will be used to verify that the AD RMS Bulk Protection Tool and FCI are working

correctly.

Table 1 Required Accounts

First Name Last Name User logon

name

Display name Forest Password

Britta Simon bsimon Britta Simon fabrikam.com Pass1word$

To create the organizational unit

10

First Name Last Name User logon

name

Display name Forest Password

Lola Jacobson ljacobson Lola

Jacobson

fabrikam.com Pass1word$

1. Log on to the DC.corp.fabrikam.com Server as Administrator.


Computers.

3. Expand fabrikam.com, right-click FabrikamUsers, select New and then select User.

This will bring up the New Object – User window.

4. On the New Object – User screen, in the First Name box, enter Britta.

5. On the New Object – User screen, in the Last Name box, enter Simon.

6. On the New Object – User screen, in the User logon name: box, enter bsimon and

click Next.

7. On the New Object – User screen, in the Password box, enter Pass1word!.

8. On the New Object – User screen, in the Confirm Password box, enter Pass1word!.

9. On the New Object – User screen, remove the check from User must change

password at next logon.

10. On the New Object – User screen, add a check to Password never expires and click

Next.

11. Click Finish.

12. Repeat these steps for all of the accounts listed in the Account Summary table.

1. Log on to the EX.fabrikam.com Server as Administrator

2. Click Start, click All Programs, click Microsoft Exchange Server 2007, and click

Exchange Management Console.

3. In the Exchange Management Console, expand Recipient Configuration, and click

Mailbox.

4. On the right, in the Actions pane, click New Mailbox… to start the New Mailbox wizard.

5. On the Introduction screen, select User Mailbox and click Next.

6. On the User Type screen, select Existing users and click Add. This will bring up the

Select User – fabrikam.com screen.

7. From the list, using the Ctrl key, select Britta Simon and Lola Jacobson then click OK.

8. Click Next.

9. On the Group Information click Next.

To create the test User Accounts

To Mailbox-Enable the User Accounts

11

10. On the Mailbox Settings screen, under Mailbox database click Browse. This will bring

up the Select Mailbox Database screen.

11. Select the Mailbox Database and click OK. Click Next.

12. On the New Mailbox screen, click Next.

13. On the Completion screen, verify that it was successful and click Finish

14. Close Exchange Management Console

Step 3 - Create Test Groups

This step explains how to create and mail-enable the test groups in fabrikam.com. It also

explains how to make certain groups members of other groups. These groups will be used to

determine who has usage rights to the protected content created later in this guide.

Table 1 Group Summary


All Staff Universal Security

All FTE Universal Security

All Contractors Universal Security

1. Log on to the DC.fabrikam.com Server as Administrator.


Computers.

3. Expand fabrikam.com, right-click FabrikamUsers, select New and then select Group.

This will bring up the New Object – Group window.

4. On the New Object – Group screen, in the Group Name box, enter All Staff.

5. On the New Object – Group screen, under Group scope , select Universal.

6. On the New Object – Group screen, under Group type, select Security.

7. Click Ok.

8. Repeat these steps for all of the groups listed in the Group Summary table.

1. Log on to the EX.fabrikam.com Server as Administrator

2. Click Start, click All Programs, click Microsoft Exchange Server 2007, and click

To create the test Groups

To Mail-Enable the Security Groups

12

Exchange Management Console.

3. In the Exchange Management Console, expand Recipient Configuration, and click

Distribution Group.

4. On the right, in the Actions pane, click New Distribution Group… to start the New

Distribution Group wizard.

5. On the Introduction screen, select Existing group and click Browse. This will bring up

the Select Group – fabrikam.com screen.

6. From the list, select All Staff and click OK.

7. Click Next.

8. On the Group Information click Next.

9. On the New Distribution Group screen click New.

10. On the Completion screen, verify that it was successful and click Finish

11. Close Exchange Management Console

12. Repeat these steps for all of the groups listed in the Group Summary table.



Computers.

3. Expand fabrikam.com, select FabrikamUsers, right-click All Staff, and select

Properties. This will bring up the All Staff Properties window.

4. On the Members tab, click Add. This will bring up the Select Groups dialog box.

5. On the Select Groups dialog box, under Enter the object names to select (examples)

box, enter All FTE and click Check Names. This should resolve with an underline.

6. Click Ok. This will close the Select Groups dialog box.

7. On the Members tab, click Add. This will bring up the Select Groups dialog box.


box, enter All Contractors and click Check Names. This should resolve with an

underline.


10. On the All Staff Properties window, click Apply.

11. Click Ok. This will close the All Staff Properties dialog box.


Add All FTE group and All Contractors group to All Staff group

13

Step 4 - Add Users to Groups

This step explains how to add the previously created users to the previously created security

groups

Table 1 Account Summary

First Name Last Name User logon name Member of

Britta Simon bsimon All FTE

Lola Jacobson ljacobson All Contractors



Computers.

3. Expand fabrikam.com, select FabrikamUsers, right-click Britta Simon, and select

Properties. This will bring up the Britta Simon Properties window.

4. On the Member of tab, click Add. This will bring up the Select Groups dialog box.


box, enter All FTE and click Check Names. This should resolve with an underline.


7. On the Britta Simon Properties window, click Apply.

8. Click Ok. This will close the Britta Simon Properties dialog box.

9. Repeat these steps for all of the accounts listed in the Account Summary table,

substituting the appropriate Member of value.


Step 5 - Install FCI on Windows Server 2008 R2

This step explains how to install FCI on Windows Server® 2008 R2

1. Log on to the FCI.fabrikam.com Server as Administrator.

2. Click Start, select Administrative Tools, and click Server Manager.

To add test user accounts to test groups

To install File Classification Infrastructure

14

3. On the left, right-click Roles and select Add Roles. This will bring up the Add Roles

Wizard.

4. On the Before you Begin screen, click Next.

5. On the Select Server Roles screen, click the box next to File Services and click Next.

6. On the File Services screen, click Next.

7. On the Select Role Services screen, click the box next to File Server Resource

Manager and click Next.

8. On the Configure Storage Usage Monitoring screen, click Next.

9. On the Confirm Installation Selections screen, click Install.

10. On the Installation Results screen, verify the installation was successful and click

Close.

11. Close Server Manager.

Step 6 - Install AD RMS Bulk Protection Tool

This step explains how to instal the AD RMS Bulk Protection Tool.

1. Log on to the FCI.fabrikam.com Server as Administrator.

2. Navigate to where you downloaded the tool and double-click rmsbulk.msi. This will

bring up the Rights Management Services Bulk Protection Tool Setup wizard.

3. On the Welcome to the Rights Management Services Bulk Protection Tool Setup

Wizard screen, click Next.

4. On the End-User License Agreement screen, read the EULA, click I accept the terms

in the License Agreement and click Next.

5. On the Destination Folder screen, click the Change button and navigate to C:\

Windows\SysWOW64 and click OK. Verify the path is now SysWOW64 and click Next.

6. On the Ready to install Rights Management Services Bulk Protection Tool screen,

click Install.

7. On the Completed the Rights Management Services Bulk Protection Tool Setup

Wizard screen, click Finish.

To install the AD RMS Bulk Protection Tool

15

Step 7 - Create ADRMSPublic Shared Folder

This step explains how to create the ADRMSPublic shared folder. This shared folder will be used

to store our AD RMS rights policy templates.

1. Log on to ADRMS.fabrikam.com as Administrator

2. Click Start, click Computer, and then double-click Local Disk (C:).

3. Click File, point to New, and then click Folder.

4. Type ADRMSPublic for the new folder, and then press ENTER.

5. Right-click ADRMSPublic, and then click Share.

6. On the File Sharing window, in the box under Type the name of the person you want

to share with and click Add… enter Everyone and click Add. The Everyone group

should now appear in the box below. The Permission Level should be Reader.

7. On the File Sharing window, in the box under Type the name of the person you want

to share with and click Add… enter ADRMS Service and click Add. The Everyone

group should now appear in the box below. The Permission Level should be

Contributor.

Important

If you have setup AD RMS with a different service account name, use that

account in the step above.

8. Click Share. The window should change and you should now see Your folder is

shared.

9. Click Done.

Step 8 - Create Fabrikam Confidential Rights Policy Template

This step explains how to create the Fabrikam Confidential Rights Policy Template. This template

will be the minimum rights protection placed on all content within Fabrikam’s organization.

1. Log on to ADRMS.fabrikam.com as Administrator.

2. Open the Active Directory Rights Management Services Administration console. Click

Start, point to Administrative Tools, and then click Active Directory Rights

Management Services.

To create the ADRMSPublic Shared Folder

To create the Fabrikam Confidential Rights Policy Template

16

3. If the User Account Control dialog box appears, confirm that the action it displays is

what you want, and then click Continue.

4. In the Active Directory Rights Management Services Administration console, expand the

cluster name.

5. Click Rights Policy Templates and ensure that Distributed Rights Policy Templates

information appears in the center pane. On the right, in the Actions pane, click

Properties. This will bring up the Rights Policy Templates Properties dialog box.

6. On the Rights Policy Templates Properties dialog box, select the Enable export check

box, type \\adrms\ADRMSPublic in the Specify templates file location (UNC) box, and

then click OK.

7. On the right, in the Actions pane, click Create Distributed Rights Policy Template to

start the Create Distributed Rights Policy Template wizard.

8. Click Add.

9. In the Language box, choose the appropriate language for the rights policy template.

10. Type Fabrikam Confidential in the Name box.

11. Type This content is confidential and proprietary information intended for Fabrikam

employees only and provides the following user rights: View, Reply, Reply All,

Save, Edit, and Forward in the Description box, and then click Add.

12. Click Next.

13. Click Add, type [email protected] in The e-mail address of a user or group

box, and then click OK.

14. Select the View, Reply, Reply All, Save, Edit, and Forward check boxes.

15. Click Finish.

Step 9 - Create Fabrikam FTE Confidential Rights Policy Template

This step explains how to create the Fabrikam FTE Confidential Rights Policy Template. This

template will be the rights protection placed on all content that is deemed to have a High

Business Impact within Fabrikam’s organization.

1. Log on to ADRMS.fabrikam.com as Administrator.

2. Open the Active Directory Rights Management Services Administration console. Click

Start, point to Administrative Tools, and then click Active Directory Rights

Management Services.

To create the Fabrikam Confidential Rights Policy Template

17

3. In the Active Directory Rights Management Services Administration console, expand the

cluster adrms.fabrikam.com.

4. Click Rights Policy Templates.

5. On the right, in the Actions pane, click Create Distributed Rights Policy Template to

start the Create Distributed Rights Policy Template wizard.

6. Click Add.

7. In the Language box, choose the appropriate language for the rights policy template.

8. Type Fabrikam FTE Confidential in the Name box.

9. Type This content is confidential and proprietary information intended for Fabrikam

full-time employees only and provides the following user rights: View, Reply, Reply

All, Save, Edit, and Forward in the Description box, and then click Add.

10. Click Next.

11. Click Add, type [email protected] in The e-mail address of a user or group box,

and then click OK.

12. Select the View, Reply, Reply All, Save, Edit, and Forward check boxes.

13. Click Finish.

Step 10 - Add AD RMS Cluster URL to Local Intranet for Local System

This step explains how to add the AD RMS Cluster URL to the local intranet in Internet Explorer

on FCI.fabrikam.com.

1. Log on to CLT1.fabrikam.com as Administrator.

2. Click the Windows Button, and in the Search programs and files box type cmd and hit

enter. This will bring up a command-line interface.

3. From the command-line, navigate to C:\PSTools.

Important

If you have PSTools installed to a different location, navigate to that location

from the command-line.

4. From the PSTools directory type psexec \\FCI –u Administrator –p Pass1word$ -i –s

“C:\Program Files(x86)\Internet Explorer\iexplore.exe” and hit enter.

Important

If your Administrator account is different, use your account for the command-

To add the AD RMS Cluster URL to Local Intranet in Internet Explorer

18

line syntax above.

5. If this brings up the Sysinternals EULA, click accept.

6. Log on to FCI.fabrikam.com as Administrator. There should be an instance of Internet

Explorer running.

7. At the top of Internet Explorer, under Tools, click Internet Options.

8. Click the Security tab and select Local intranet from the Select a zone to view or

change security settings box.

9. Click Sites to show a Local intranet window. Click Advanced.

10. In the Add this website to the zone: box, type https://adrms.fabrikam.com. Click

Add.

11. Place a check in Require server verification (https:) for all sites in this zone and click

Close. Click Ok.

12. Click OK to close the Internet Options dialog box.

Important

At this point, you should try and access the following:

https://adrms.fabrikam.com/_wmcs/certification/certification.asmx. Verify that

there are no certificate errors. If so, make sure the CA chain is installed

under Trusted Root Certification Authorities for the local system account.

This can be done by right clicking the error at the top and selecting view

certificates. From there, click certification path and highlight the root

certificate. Click view certificate and then install this one.

13. Close Internet Explorer.

14. Log off FCI.fabrikam.com

15. On CLT1.fabrikam.com, close the command window.

Step 11 - Grant FCI Machine Account Read and Execute Permissions

This step explains how to grant the FCI machine account read and execute permissions to the

ServerCertification.asmx page. This is required because it allows the AD RMS Bulk Protection

Tool to run under the local system account on the FCI server.

1. Log on to ADRMS.fabrikam.com Server as Administrator

2. Click Start, select Computer, double-click Local Disk (C:), double-click inetpub,

To add the Read & Execute permissions for the FCI machine account on ServerCertification.asmx

19

double-click wwwroot, double-click _wmcs, double-click certification, right-click

ServerCertification.asmx and select Properties. This will bring up the

ServerCertification.asmx Properties.

3. On the ServerCertification.asmx properties, select the Security tab, and then click

Edit. This will bring up the Permissions for ServerCertification.asmx.

4. On the Permissions for ServerCertification.asmx screen, click Add. This will bring up

the Select Users, Computers, or Groups screen.

5. On the Select Users, Computers, or Groups screen, to the right, click the Object

Types… button. This will bring up the Object Types screen.

6. On the Object Types screen, place a check in Computers and click Ok. This will close

the Object Types screen.

7. On the Select Users, Computers, or Groups screen, under Enter the object names to

select, enter fabrikam\FCI and click Check Names. This should resolve with an

underline. Click Ok.

8. On the Permissions for ServerCertification.asmx screen, select the newly added

fabrikam\FCI$ and verify it has a check in Read & execute. Click Apply Click Ok. This

will close the Permissions for ServerCertification.asmx screen.

9. On the ServerCertification.asmx properties, click Ok. This will close the

ServerCertification.asmx properties.

Step 12 - Grant AD RMS Service Group Read and Execute Permissions

This step explains how to grant the AD RMS Service Group read and execute permissions to the

ServerCertification.asmx page. This is required because it allows the AD RMS Bulk Protection

Tool to run under the local system account on the FCI server.

1. Log on to ADRMS.fabrikam.com Server as Administrator

2. Click Start, select Computer, double-click Local Disk (C:), double-click inetpub,

double-click wwwroot, double-click _wmcs, double-click certification, right-click

ServerCertification.asmx and select Properties. This will bring up the

ServerCertification.asmx Properties.

3. On the ServerCertification.asmx properties, select the Security tab, select New, and

click Edit. This will bring up the Permissions for ServerCertification.asmx.

4. On the Permissions for ServerCertification.asmx screen, click Add. This will bring up

To add the Read & Execute permissions for AD RMS Service Group on ServerCertification.asmx

20

the Select Users, Computers, or Groups screen.


select, enter ADRMS\AD RMS Service Group and click Check Names. This should

resolve with an underline. Click Ok.

6. On the Permissions for ServerCertification.asmx screen, select the newly added AD

RMS Service Group and verify it has a check in Read & execute. Click Apply Click Ok.

This will close the Permissions for ServerCertification.asmx screen.

7. On the ServerCertification.asmx properties, click Ok. This will close the

ServerCertification.asmx properties.

8. Restart the ADRMS.fabrikam.com server.

Step 13 - Create FabrikamDocuments Shared Folder

This step explains how to create the FabrikamDocuments shared folder. This is the folder that

will store all of the content Fabrikam wishes to rights protect.

1. Log on to FCI.fabrikam.com as Administrator

2. Click Start, click Computer, and then double-click Local Disk (C:).

3. Click File, point to New, and then click Folder.

4. Type FabrikamDocuments for the new folder, and then press ENTER.

5. Right-click FabrikamDocuments, click Share with, and then click Specific people.

6. On the File Sharing window, in the box under Type a name and then click Add, or

click the arrow to find someone select Everyone, then and click Add. The Everyone

group should now appear in the box below. Under Permission Level, select

Read/Write.

7. Click Share. The window should change and you should now see Your folder is

shared.

8. Click Done.

To create the FabrikamDocuments Shared Folder

21

Step 14 - Grant FCI Server Send As Rights

This step explains how to grant the FCI machine account the Send As right on the Administrator

account. This will allow the FCI machine to send e-mail notifications as the Administrator when

documents are rights protected.

1. Log on to the EX.corp.fabrikam.com Server as Administrator.


Computers.

3. At the top, select View and then select Advanced Features from the drop-down.

4. On the left, expand fabrikam.com click the Users organizational unit. On the right, right-

click Administrator and then select Properties. This will bring up the Administrator

Properties window.

5. On the Administrator Properties screen, select the Security tab and click Add. This

will bring up the Select Users, Computers, or Groups screen.

6. On the Select Users, Computers, or Groups screen, to the right, click the Object

Types… button. This will bring up the Object Types screen.

7. On the Object Types screen, place a check in Computers and click Ok. This will close

the Object Types screen.


select, enter fabrikam\FCI and click Check Names. This should resolve with an

underline. Click Ok.

9. Under Groups or user names: make sure FCI (FABRIKAM\FCI$) is select.

10. On the Permissions for FCI locate Send As and select Allow. Click Apply Click Ok.

This will close the Administrators Properties screen.


Step 15 - Configure FCI for E-mail Notification

This step explains how to add e-mail configuration options to the File Classification Infrastructure.

This will allow for email notifications when documents are rights protected. We will be using our

Exchange 2007 Server for this purpose.


To grant the FCI Machine Account Send As Rights

To setup FCI for e-mail notification

22

2. Click Start, click Administrative Tools, and click File Server Resource Manager.

3. In the File Server Resource Manager, on the right, under Actions, click Configure

Options. This will bring up the File Server Resource Manager Options.

4. Under SMTP server name or IP address, enter EX.fabrikam.com.

5. Under Default administrator recipients, enter [email protected].

6. Under Default “From” e-mail address, enter [email protected].

7. Click OK.

Important

You can test this by using the Send Test E-mail button that is provided on the

File Server Resource Manager Options page.

Step 16 - Change Timeout on Certification Path Validation Settings

This step explains how to change the default path validation cumulative retrieval timeout from 20

seconds to 2 seconds. This is required because the servers do not have access to the internet.

If this gpo setting is not changed then the AD RMS Bulk Protection Tool will fail when attempting

to activate the FCI server. This is only required because the server does not have internet

access.

1. Log on to the DC.corp.fabrikam.com Server as Administrator.

2. Click Start, select Administrative Tools, and click Group Policy Management.

3. Expand Forest: fabrikam.com, expand Domains, expand fabrikam.com, right-click

Default Domain Policy, and then select edit. This will bring up the Group Policy

Management Editor.

4. On the left, expand Computer Configuration, expand Windows Settings, expand

Security Settings, and click Public Key Policies.

5. On the right, right-click Certificate Path Validation Settings and click Properties. This

will bring up the Certificate Path Validation Settings Properties.

6. On the Certificate Path Validation Settings screen, click the Network Retrieval tab.

7. On the Network Retrieval screen, place a check in Define these policy settings and in

the middle, change Default path validation cumulative retrieval timeout (in seconds)

to 2.

8. Click Apply and Ok. This will close the Certificate Path Validation Settings.

9. Close Group Policy Management.

To change the Default Path Validation Cumulative Retrieval Timeout

23

1. Log on to the FCI.fabrikam.com Server as Administrator

2. Click Start, and click Command Prompt. This will open a command prompt window.

3. From the command prompt, type gpupdate /force and hit Enter. Once this is complete

is should say that the user and computer policies were updated successfully.

4. Close the Command Prompt.

Step 17 - Create Business Impact Classification Property

This step explains how to create the Business Impact Classification Property. Classification

properties are used to assign values to files. There are many property types that you can choose

from, and you can define them based on the policies your organization wants to enforce. This will

be an ordered list property. A value of High will indicate that the document has a high business

impact, while a value of Low will represent a low business impact.



3. In the File Server Resource Manager, on the left, expand Classification Management,

and right-click Classification Properties, and select Create Property. This will bring up

the Create Classification Property Definition window.

4. Under Property name, enter Business Impact.

5. Under Description, enter Describes the impact to the business if this file were to be

disclosed to the public. Valid values are High and Low..

6. Under Property type, enter Ordered List.

7. Down under Value enter High. This will add a row below the value we just entered.

8. Under the High value we just added, enter Low.

9. Click OK.

Refresh the policy on the FCI server

To create the Business Impact Classification Property

24

Step 18 - Create dateEncrypted Classification Property

This step explains how to create the dateEncrypted Classification Property. It allows for tracking

which files have already been encrypted and do not need to be encrypted again. This will be a

Date-Time property. It will indicate when the file was last encrypted.




and right-click Classification Properties, and select Create Property. This will bring up

the Create Classification Property Definition window.

4. Under Property name, enter dateEncrypted.

5. Under Description, enter When this document was encrypted..

6. Under Property type, enter Date-Time.

7. Click OK.

Step 19 - Create LBI Classification Rule

This step explains how to create the LBI Classification Rule. This rule will classify all of our

documents with an LBI property value. Later the HBI Classification Rule will override these LBI

values if the documents match the criteria in the HBI Classification rule.




and right-click Classification Rules, and select Create a New Rule. This will bring up

the Classification Rule Definitions window.

4. Under Rule name:, enter Low Business Impact.

5. Under Description, enter Classify all documents with low business impact by

default.

6. Under Scope, click Add and browse to FabrikamDocuments. Click OK

7. At the top, click the Classification tab.

8. Under Choose a method to assign the property value, select Folder Classifier from

To create the dateEncrypted Property

To create the LBI Classification Rule

25

the drop-down.

9. Under Choose a property value to be assigned, select Business Impact

Classification Property from the drop-down.

10. Under Property value to be assigned, select Low from the drop-down.

11. Click OK.

Step 20 - Create HBI Classification Rule

This step explains how to create the HBI Classification Rule. This rule will search the content of

documents and if the string “Intellectual Property” is found, it will classify this document as having

high business impact. This classification will override any previously assigned classification as

low business impact.






4. Under Rule name:, enter High Business Impact.

5. Under Description, enter Determines if the document has a high business impact

based on the presence of the string “Intellectual Property”.



8. Under Choose a method to assign the property value, select Content Classifier from

the drop-down.



10. Under Property value to be assigned, select High from the drop-down.

11. Click Advanced. This will bring up the Additional Rule Parameters.

12. On the Evaluation Type, place a check in the Re-evaluate existing property values

box and select Aggregate the values.

13. At the top, click the Additional Classification Parameters tab.

14. Under the box that says Name, enter String. Under the box that says Value, enter

Intellectual Property.

15. Click OK. Click OK.

To create the HBI Classification Rule

26

Step 21 - Restrict Files to Fabrikam Employees

This step explains how to create a file management task to restrict access of low business impact

files to Fabrikam employees. This task will apply the Fabrikam Confidential rights policy template

to all of the documents that have been classified with a Low property and that have not already

been encrypted. The original owner of the file will retain full control of the AD RMS protection,

unless the owner is not registered in Active Directory. In that case, the Administrator will gain full

control of the AD RMS protection on the file. It will also send an e-mail message to the owner of

each file when it is encrypted.


2. Copy the script from Appendix A into notepad and save it as c:\windows\system32\

MarkLBIandProtect.ps1.


4. In the File Server Resource Manager, on the left, right-click File Management Tasks,

and select Create File Management Task. This will bring up the Create File

Management Task window.

5. Under Task name:, enter Restrict files to employees of Fabrikam.

6. Under Description, enter Apply Fabrikam Confidential rights policy.


8. At the top, click the Action tab.

9. Under Type, select Custom from the drop-down.

10. Under Executable, select Browse and navigate to c:\windows\system32\

WindowsPowerShell\v1.0\powershell.exe.

11. Under Arguments, enter -File c:\windows\system32\MarkLBIandProtect.ps1

[Source File Path] [Source File Owner Email] [email protected].

12. Under Run the command as:, select Local System.

13. At the top, click the Condition tab.

14. Click Add. This will bring up the Property Condition window.

15. On the Property Condition window, make sure Property: is set to Business Impact,

set the Operator: to Equals, and for the Value: select Low from the drop-down. Click

Ok.


17. On the Property Condition window, make sure Property: is set to dateEncrypted, and

To create the file management task to restrict files to employees of Fabrikam

27

select not exist for the condition. Click OK.

18. At the top, click the Notification tab.

19. Click Add. This will bring up the Add Notification window.

20. Set the Number of days before the task is executed to send notification to 0.

21. Check Send e-mail to the following administrators:

22. In the box, enter [email protected].

23. Check Send e-mail to the user whose files are about to expire.

24. Under Subject: enter File encrypted.

25. Click OK.

26. At the top, click the Schedule tab.

27. On the Schedule tab, click Create. This will bring up the Schedule window.

28. On the Schedule window, click New.

29. Except the defaults and click Ok. This will close the Schedule window.

30. Click OK. This will close the Create File Management Task window.

After the installation of PowerShell, the execution of scripts is disabled by default.

You must enable your system to run the scripts. This can be done by using the following

command: Set-Executionpolicy Unrestricted.

Alternatively, the execution policy can be set to signed and the script can be signed. For

more information about this topic, please see Running Windows PowerShell Scripts

(http://go.microsoft.com/fwlink/?LinkID=119588).

Step 22 - Restrict Files to Full-Time Fabrikam Employees

This step explains how to create a file management task to restrict access of high business

impact files to full-time Fabrikam employees. This task will apply the Fabrikam FTE Confidential

rights policy template to all of the documents that have been classified with a High property. The

original owner of the file will retain full control of the AD RMS protection, unless the owner is not

registered in Active Directory. In that case, the Administrator will gain full control of the AD RMS

protection on the file. It will also send an e-mail to the owner of the document when the template

is applied to the document.


2. Copy the script from Appendix B into notepad and save it as c:\windows\system32\

MarkHBIandProtect.ps1.

Important

To create the file management task to restrict files to full-time Fabrikam employees

28



4. In the File Server Resource Manager, on the left, right-click File Management Tasks,

and select Create File Management Task. This will bring up the Create File

Management Task window.

5. Under Task name:, enter Restrict HBI files to full-time Fabrikam employees.

6. Under Description, enter Apply Fabrikam FTE Confidential rights policy.


8. At the top, click the Action tab.

9. Under Type, select Custom from the drop-down.

10. Under Executable, select Browse and navigate to c:\windows\system32\

WindowsPowerShell\v1.0\powershell.exe.

11. Under Arguments, enter -File c:\windows\system32\markHBIandprotect.ps1

[Source File Path].

12. Under Run the command as:, select Local System.

13. At the top, click the Condition tab.


15. On the Property Condition window, make sure Property: is set to Business Impact,

set the Operator: to Equals, and for the Value: select High from the drop-down. Click

Ok.


17. On the Property Condition window, make sure Property: is set to dateEncrypted,

select not exist for the condition, and then click OK.

18. At the top, click the Notification tab.

19. Click Add. This will bring up the Add Notification window.

20. Set the Number of days before the task is executed to send notification to 0.

21. Check Send e-mail to the following administrators:

22. In the box, enter [email protected].

23. Check Send e-mail to the user whose files are about toexpire.

24. Change the text in the Subject and Message body boxes to indicate that the file was

encrypted.

25. Click OK.

26. At the top, click the Schedule tab.

27. On the Schedule tab, click Create. This will bring up the Schedule window.

28. On the Schedule window, click New.

29. Except the defaults and click Ok. This will close the Schedule window.

30. Click OK. This will close the Create File Management Task window.

29

Testing the Implementation

The following sections explain how to test and verify that the AD RMS Bulk Protection Tool and

FCI are working together and classifying and protecting content accordingly.

This section is comprised of the following steps:

1. Step 1 - Create an Intellectual Property Word document

2. Step 2 – Create a General Word document

3. Step 3 – Run File Server Resource Manager Classification Rules

4. Step 4 – Run File Management Tasks

5. Step 5 – Consume documents as Britta Simon

6. Step 6 – Consume documents as Lola Jacobson

Step 1 - Create an Intellectual Property Word Document

This section explains how to create a Word document that contains the phrase “Intellectual

Property.”

1. Log on to the CLT1.fabrikam.com as Administrator.

2. Click Start, select All Programs, click Microsoft Office, and select Microsoft Office

Word 2007. This will bring up Word 2007 with a blank document.

3. On the blank document type the words Intellectual Property.

4. At the top, click the Office button and select Save As from the drop-down.

5. At the top, remove Libraries -> Documents from the location and enter \\

FCI.fabrikam.com\FabrikamDocuments.

6. Under File Name:, enter Spec.

7. Click Save.

8. Close Word.

Step 2 - Create a General Word Document

This section explains how to create a general Word document. This document will have the LBI

policy applied to it.

To create an Intellectual Property Word Document

30



Word 2007. This will bring up Word 2007 with a blank document.

3. On the blank document type the words Meeting notes.

4. At the top, click the Office button and select Save As from the drop-down.

5. At the top, remove Libraries -> Documents from the location and enter \\

FCI.fabrikam.com\FabrikamDocuments.

6. Under File Name:, enter Notes.

7. Click Save.

8. Close Word.

Step 3 - Run File Server Resource Manager Classification Rules

This step explains how to manually run the classification rules. This is only being done for testing

purposes. These can be automated so that they do not have to be run manually.


2. Click Start, select Administrative Tools, and select File Server Resource Manager.


and right-click Classification Rules, and select Run Classification With All Rules

Now. This will bring up the Run Classification window.

4. Under How do you want to proceed?, select Wait for classification to complete

execution. Click Ok.

5. Once classification finishes, examine the report. The spec.doc should be classified as

High and the notes.doc should be classified as low.

6. Close the report.

7. Close File Server Resource Manager.

To create a general Word document

To run the File Server Resource Manager Classification Rules

31

Step 4 - Run File Management Tasks

This step explains how to manually run the File Management Tasks. These tasks will now apply

the rights policy templates to our documents based on the properties that were set in the previous

step. This is only being done for testing purposes. These can be automated so that they do not

have to be run manually.


2. Click Start, select Administrative Tools, and select File Server Resource Manager.

3. In the File Server Resource Manager, click File Management Tasks. Our File

Management Tasks should appear in the center of the File Server Resource Manager.

4. Right-click Fabrikam Confidential File Management Task, and select Run File

Management Task Now. This will bring up the Run File Management Task window.

5. Under How do you want to proceed?, select Wait for task to complete execution.

Click Ok.

6. Once the File Management Task has completed, examine the report.


8. Right-click Fabrikam FTE Confidential File Management Task, and select Run File

Management Task Now. This will bring up the Run File Management Task window.

9. Under How do you want to proceed?, select Wait for task to complete execution.

Click Ok.

10. Once the File Management Task has completed, examine the report.


12. Close File Server Resource Manager.

Step 5 - Consume Documents As Britta Simon

In this step we will be attempting to open the documents that we just rights protected in the

previous step. In this step, we will log on as Britta Simon, a Fabrikam full-time employee. She

should be able to open both documents.

Consume Documents as Britta SimonThe following steps show how to consume the documents as Britta Simon.

To run the File Management Tasks

32

1. Log on to CLT1.fabrikam.com as fabrikam\bsimon

2. Click the Windows button.

3. In the search box, type \\FCI.fabrikam.com\FabrikamDocuments. This will open the

FabrikamDocuments share.

4. Double-click notes.doc.

5. When prompted for credentials, for User name: enter bsimon. For Password, enter

Pass1word$. This will start the process of configuring AD RMS for Britta Simon.

6. Once this completes, you should see a pop-up window that says Permissions to this

document is currently restricted. Microsoft Office must connect to

http://adrms.fabrikam.com/_wmcs/licensing to verify your credentials and

download your permissions. Click OK.

7. Once this completes, you should be able to view notes.doc. Close notes.doc

8. Double-click spec.doc.

9. When prompted for credentials, for User name: enter bsimon. For Password, enter

Pass1word$.

10. You should see a pop-up window that says Permissions to this document is currently

restricted. Microsoft Office must connect to



11. Once this completes, you should be able to view spec.doc. Close spec.doc

Step 6 - Consume Documents As Lola Jacobson

In this step we will be attempting to open the documents as Lola Jacobson, a contractor. Lola

should be able to access the notes.doc file but should not be allowed to access the spec.doc file.

Consume Documents as Lola JacobsonThe following steps show how to consume the documents as Lola Jacobson.

1. Log on to CLT2.fabrikam.com as fabrikam\ljacobson

2. Click the Windows button.

3. In the search box, type \\FCI.fabrikam.com\FabrikamDocuments. This will open the

To consume documents as Britta Simon

To consume documents as Lola Jacobson

33

FabrikamDocuments share.

4. Double-click notes.doc.

5. When prompted for credentials, for User name: enter ljacobson. For Password, enter

Pass1word$. This will start the process of configuring AD RMS for Britta Simon.

6. Once this completes, you should see a pop-up window that says Permissions to this

document is currently restricted. Microsoft Office must connect to



7. Once this completes, you should be able to view notes.doc. Close notes.doc

8. Double-click spec.doc.

9. When prompted for credentials, for User name: enter ljacobson. For Password, enter

Pass1word$.

10. You should see a pop-up window that says Permissions to this document is currently

restricted. Microsoft Office must connect to



11. Once this completes, you should see a pop-up window that says You do not have

credentials that allow you to open this document. Do you want to open it using a

different set of credentials? Click No. At this point, you should not have any open

document in Word. Close Word.

Step 7 - Check Administrator's Email

This section explains how to create check the Administrator’s e-mail. This is done to verify that

the FCI server has sent us notification.



Outlook 2007. This will bring up Outlook 2007.

3. Verify that the FCI server has sent the Administrator e-mail.

To verify the Administrator’s E-mail

34

Appendix A - MarkLBIandProtect Windows Powershell Script

The following Windows Powershell script is used to create the file management task to restrict

files to employees.

# execute bulk tool

$encryptfile = '"' + $args[0] + '"'

$owneremail = $args[1]

if ($owneremail -eq "[Source")

{


}

$r = start-process –Wait –PassThru –FilePath C:\Windows\SysWOW64\RmsBulk.exe –ArgumentList

“/encrypt”, $encryptfile, “\\adrms.fabrikam.com\ADRMSPublic\Fabrikam_Confidential.xml”,

$owneremail, “/log”, “C:\FabrikamDocuments\RmsLog.log”, “/append”, “/preserveattributes”

if ($r.ExitCode –eq 0)

{

$c = new-object –com Fsrm.FsrmClassificationManager

$d = (get-date).toFileTimeUTC()

$d = $d - ($d % 10000000)

$c.SetFileProperty($args[0], “dateEncrypted”, $d.ToString())

}

35

Appendix B - MarkHBIandProtect Windows PowerShell Script

The following Windows Powershell script is used to create the file management task to restrict

files to only full-time employees.

# execute bulk tool

$encryptfile = '"' + $args[0] + '"'


if ($owneremail -eq "[Source")

{


}

$r = start-process –Wait –PassThru –FilePath C:\Windows\SysWOW64\RmsBulk.exe –ArgumentList

“/encrypt”, $encryptfile, “\\adrms.fabrikam.com\ADRMSPublic\

Fabrikam_FTE_Confidential.xml”, $owneremail, “/log”, “C:\FabrikamDocuments\RmsLog.log”,

“/append”, “/preserveattributes”

if ($r.ExitCode –eq 0)

{

$c = new-object –com Fsrm.FsrmClassificationManager

$d = (get-date).toFileTimeUTC()

$d = $d - ($d % 10000000)

$c.SetFileProperty($args[0], “dateEncrypted”, $d.ToString())

}

36

Appendix C - Using a Regular Expression with FCI

The following is an example of creating a FCI Classification Rule using a Regular Expression. A

regular expression is a pattern of text that consists of ordinary characters (for example, letters a

through z) and special characters, known as metacharacters. The pattern describes one or more

strings to match when searching text. The example below shows how to use a regular

expression to look for social security type number. It searches for 3 digits followed by a hyphen,

then 2 digits followed by a hyphen and finally 4 digits (ddd-dd-dddd). If any such expression is

found in a document it will be classified as having a high business impact






4. Under Rule name:, enter Social Security Rule.

5. Under Description, enter Determines if the document contains a social security type

number.



8. Under Choose a method to assign the property value, select Content Classifier from

the drop-down.



10. Under Property value to be assigned, select High from the drop-down.

11. Click Advanced. This will bring up the Additional Rule Parameters.

12. On the Evaluation Type, place a check in the Re-evaluate existing property values

box and select Aggregate the values.

13. At the top, click the Additional Classification Parameters tab.

14. Under the box that says Name, enter RegularExpression. Under the box that says

Value, enter \d{3}-\d{2}-\d{4}.

15. Click OK. Click OK.

To test this, create a world document with the following number 111-22-3333 in it. Save it to c:\

FabrikamDocuments share and then run the classification rule steps and file management tasks.

To create the Regular Expresssion Classification Rule

37

For more information about using Regular Expressions with FCI see, Classifying files based on

location and content using the File Classification Infrastructure (FCI) in Windows Server 2008 R2


For more information about Regular Expressions syntax see, Regular Expression Syntax


38



microsoft windows server 2008 r2 - ad rms bulk protection tool and file classification...

Technology