Step 21 - Restrict Files to Fabrikam Employees

Applies To: Windows Server 2008, Windows Server 2008 R2

This step explains how to create a file management task to restrict access of low business impact files to Fabrikam employees. This task will apply the Fabrikam Confidential rights policy template to all of the documents that have been classified with a Low property and that have not already been encrypted. The original owner of the file will retain full control of the AD RMS protection, unless the owner is not registered in Active Directory. In that case, the Administrator will gain full control of the AD RMS protection on the file. It will also send an e-mail message to the owner of each file when it is encrypted.

  1. Log on to FCI.fabrikam.com as Administrator

  2. Copy the script from Appendix A into notepad and save it as c:\windows\system32\MarkLBIandProtect.ps1.

  3. Click Start, click Administrative Tools, and click File Server Resource Manager.

  4. In the File Server Resource Manager, on the left, right-click File Management Tasks, and select Create File Management Task. This will bring up the Create File Management Task window.

  5. Under Task name:, enter Restrict files to employees of Fabrikam.

  6. Under Description, enter Apply Fabrikam Confidential rights policy.

  7. Under Scope, click Add and browse to FabrikamDocuments. Click OK

  8. At the top, click the Action tab.

  9. Under Type, select Custom from the drop-down.

  10. Under Executable, select Browse and navigate to c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe.

  11. Under Arguments, enter -File c:\windows\system32\MarkLBIandProtect.ps1 [Source File Path] [Source File Owner Email] administrator@fabrikam.com.

  12. Under Run the command as:, select Local System.

  13. At the top, click the Condition tab.

  14. Click Add. This will bring up the Property Condition window.

  15. On the Property Condition window, make sure Property: is set to Business Impact, set the Operator: to Equals, and for the Value: select Low from the drop-down. Click Ok.

  16. Click Add. This will bring up the Property Condition window.

  17. On the Property Condition window, make sure Property: is set to dateEncrypted, and select not exist for the condition. Click OK.

  18. At the top, click the Notification tab.

  19. Click Add. This will bring up the Add Notification window.

  20. Set the Number of days before the task is executed to send notification to 0.

  21. Check Send e-mail to the following administrators:

  22. In the box, enter administrator@fabrikam.com.

  23. Check Send e-mail to the user whose files are about to expire.

  24. Under Subject: enter File encrypted.

  25. Click OK.

  26. At the top, click the Schedule tab.

  27. On the Schedule tab, click Create. This will bring up the Schedule window.

  28. On the Schedule window, click New.

  29. Except the defaults and click Ok. This will close the Schedule window.

  30. Click OK. This will close the Create File Management Task window.

ImportantImportant
After the installation of PowerShell, the execution of scripts is disabled by default.
You must enable your system to run the scripts. This can be done by using the following command: Set-Executionpolicy Unrestricted.
Alternatively, the execution policy can be set to signed and the script can be signed. For more information about this topic, please see  Running Windows PowerShell Scripts (http://go.microsoft.com/fwlink/?LinkID=119588).

Community Additions

ADD
Show: