AD RMS Policy Templates
Applies To: Windows Server 2008, Windows Server 2008 R2
Rights policy templates are used to control the rights that a user or group has on a particular piece of rights-protected content. AD RMS stores rights policy templates in the configuration database. Optionally, it maintains a copy of all rights policy templates in a shared folder that you specify.
Some examples of rights policy templates are:
Company Confidential. Such a template could be used to allow only employees to view content, but not forward, copy, or save the document.
Expires in 30 days. This could be used to ensure that content is not valid after 30 days. A letter of offer, an RFP, or perhaps a draft version of a document would be consumable for only a set period of time.
Must be Connected to Consume. This ensures that recipients have connectivity to a licensing server and are not using cached copies of a use license to consume content. This could be used in a case in which a template is subject to change and you want the recipient to consume only the latest version. Also, if a computer is lost or stolen, the RMS-protected content would not be accessible to the person who found or stole it.
When AD RMS attempts to verify group membership, the results are cached. This can become an issue if a document was protected by a template that assigned rights to a particular group. For example, Bob is a user and a member of the Support group. Bob receives a document that only allows members of the support group to consume it. Because Bob is already a member of the group, he would be able to consume it. However, if Alice were then added to that group, she would not be granted access until the Active Directory Domain Services cache expired. To disable cache settings on Windows Server 2008 there are two possible ways of accomplishing this.
Under the DRMS_Config database access the DRMS_cluterpolicies table and change the value of PolicyData cell to 0 for UseDirectoryServicesCacheDatabase and EnableNoRightsCaching. This will disable all database caching.
EnableNoRightsCaching is new to AD RMS and is used to cache ‘No rights’ failures. For security purposes, this allows you to determine who might be trying to access a piece of content that they do not have the rights to.
To disable only Active Directory caching, under the DRMS_Config database access the DRMS_cluterpolicies table and change the value of PolicyData cell to 0 for the following:
|Prior to making any modifications to your AD RMS databases, these databases should be backed up.|
To ease administration of the rights policy templates, AD RMS in Windows Server 2008 introduced a rights policy template creation wizard. To ease distribution of rights policy templates, AD RMS has also introduced a new rights policy template distribution pipeline. This new pipeline allows an AD RMS client to request rights policy templates stored on the AD RMS cluster and store them locally on the client computer. This functionality is available with AD RMS clients in Windows Vista with SP1, Windows Server 2008, Windows 7, and Windows Server 2008 R2.
For AD RMS clients that are not running on Windows Vista with SP1, Windows Server 2008, Windows 7, and Windows Server 2008 R2, you must manually distribute the rights policy templates from a central location to the client. Some distribution methods include using Systems Management Server, Group Policy, or manually copying the templates to the client computer as described at the above section.
For more information on rights policy template configuration and deployment see AD RMS Policy Template Considerations (http://go.microsoft.com/fwlink/?LinkId=154598).
For more information on setting up rights policy templates see AD RMS Rights Policy Templates Deployment Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkID=153712).