Step 2: Configuring the AD RMS client

Applies To: Windows Server 2008, Windows Server 2008 R2

The AD RMS client is included in the default installation of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. Previous versions of the client are available for download for other Windows operating systems. However, only AD RMS clients included with Windows Vista with SP1, Windows Server 2008, Windows 7, or Windows Server 2008 R2 support automatic rights policy template distribution.

Note

Windows Vista Service Pack 1 can be downloaded from Windows Update (https://go.microsoft.com/fwlink/?LinkID=37392) for a single computer or from the Microsoft Download Center https://go.microsoft.com/fwlink/?LinkId=114577) for multiple computers.

This guide assumes that an AD RMS cluster is already configured in a test environment. Additionally, extra configuration is required on the AD RMS client workstation so that the rights policy templates are accessible.

Distribute Rights Policy Template by using AD RMS Rights Policy Template Distribution

The AD RMS client requests rights policy templates from the AD RMS cluster by using a scheduled task, which is configured to query the template distribution pipeline on the AD RMS cluster.

Two scheduled tasks are available: automated or manual. The automated scheduled task is configured to run up to one hour after a user logs on to the computer and every morning at 3:00 A.M., but this scheduled task is disabled by default. You can enable and change the default configuration by using the Task Scheduler control panel. After the scheduled task is enabled, you must configure a registry entry so that Microsoft Office 2007 can locate the directory in which the rights policy templates are stored.

Important

Upgrading a client computer to Windows Server 2008 R2 or Windows 7 disables these scheduled tasks. After performing the upgrade, you should re-enable the appropriate scheduled task.

Note

The automated scheduled task works only on computers that are joined to your organization’s domain. The manual scheduled task should be used for users with a domain account who are using a client computer that is not joined to your organization’s domain. In order for the manual scheduled task to work, you must configure the Enterprise Publishing client registry override found in the following registry entry: HKEY_LOCAL_MACHINE\Software\Microsof\MSDRM\ServiceLocation\EnterprisePublishing.

To enable the automated scheduled task

  1. Log on to ADRMS-CLNT as cpandl\administrator.

  2. Click Start, and then click Control Panel.

  3. Double-click Administrative Tools, and then double-click Task Scheduler.

  4. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  5. Expand Task Scheduler Library, expand Microsoft, expand Windows, and then click Active Directory Rights Management Services Client.

  6. Right-click AD RMS Rights Policy Template Management (Automated), and then click Enable.

  7. Close Task Scheduler.

Note

The automated scheduled task can also be enabled from the command prompt or though Systems Management Server or Group Policy by using the following command: schtasks /Change /TN “\Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Automated)” /ENABLE.

  1. Click Start, type regedit.exe in the Start Search box, and then press ENTER.

  2. Expand the following registry key:

    HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\DRM

Note

If DRM was not already created as a part of the key, you must create it manually. For Microsoft® Office 2003, the registry entry is as follows: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\DRM.

  1. Right-click DRM, click New, and then click Expandable String Value.

  2. In the Value name box, type AdminTemplatePath, and then press ENTER.

  3. Double-click the AdminTemplatePath registry value and type %LocalAppData%\Microsoft\DRM\Templates in the Value data box, and then click OK.

  4. Close Registry Editor.

Important

If you are using a 64-bit version of Windows, you must also configure the registry entries in the Wow6432Node located at HKEY_CURRENT_USER\Software\Wow6432Node</STRONG>.

Next, you should log in as Nicole Hollida (cpandl\nhollida) on ADRMS-CLNT, wait for about an hour, and check the following directory:

%LocalAppData%\Microsoft\DRM\Templates

where %LocalAppData% equals C:\Users\nhollida\AppData\Local. Once the rights policy template is copied to the client, you are ready to continue to step 3 of this guide.

Note

The automated scheduled task will not query the AD RMS template distribution pipeline each time that this scheduled task runs. Instead, it checks updateFrequency DWORD value registry entry. This registry entry specifies the time interval (in days) after which the client should update its rights policy templates. By default the registry key is not present on the client computer. In this scenario, the client checks for new, deleted, or modified rights policy templates every 30 days. To configure an interval other than 30 days, create a registry entry at the following location: HKEY_CURRENT_USER\Software\Policies\Microsoft\MSDRM\TemplateManagement. In this registry key, you can also configure the updateIfLastUpdatedBeforeTime, which forces the client computer to update its rights policy templates.

Distribute Rights Policy Template Manually

You can still distribute rights policy templates manually through other methods, such as Systems Management Server and Group Policy. This is required for all AD RMS clients that are not running on Windows Vista with SP1 or Windows Server 2008. To do this, you must configure an export location for the rights policy templates as described in Step 1 of this guide. The rights policy templates exported to this shared folder must be copied to the folder specified in the AdminTemplatePath registry entry, as described in the previous procedure named “To enable the automated scheduled task.”

Note

When distributing rights policy templates manually, you should not use the %LocalAppData%\Microsoft\DRM\Templates folder. If you later enable automatic rights policy template distribution, there will be a conflict because the AD RMS cluster will not recognize or manage the templates in this folder that were deployed manually.

To distribute a rights policy template manually

  1. Log on to ADRMS-CLNT as Nicole Holliday (nhollida@cpandl.com).

  2. Click Start, type regedit.exe in the Start Search box, and then press ENTER.

  3. Expand the following registry key:

    HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\DRM

Note

If DRM was not already created as a part of the key, you must create it manually.

  1. Right-click DRM, click New, and then click Expandable String Value.

  2. For the name, type AdminTemplatePath, and then press ENTER.

  3. Double-click the AdminTemplatePath registry value and type %LocalAppData%\Microsoft\DRM\Templates_Manual in the Value data box, and then click OK.

  4. Close Registry Editor.

  5. Verify that the path C:\Users\nhollida\AppData\Local\Microsoft\DRM\Templates\ is valid. If it is not, create the appropriate folders.

  6. Click Start, type \\ADRMS-DB\Public in the Start Search box, and then press ENTER.

  7. Copy the exported AD RMS rights policy templates from \\ADRMS-DB\Public to C:\Users\nhollida\AppData\Local\Microsoft\DRM\Templates_Manual.