Managing ADRMSHOLLabv 0

Microsoft Virtual Labs
Managing AD RMS HOL Lab v0.3

Table of Contents
Managing AD RMS HOL Lab v0.3 ............................................................................................. 1
Exercise 1 Manage AD RMS infrastructure ..................................................................................................................2
Exercise 2 Configure AD RMS Client Options from Registry .................................................................................... 13
Exercise 3 Check the AD RMS Reports ...................................................................................................................... 17
Objectives After completing this lab, you will be better able to:
Configure new management features provided by AD RMS
AD RMS Template Management
Configure AD RMS by registry Settings and GPO on the client side
Scenario As network administrator for Northwind Traders, you have Active Directory
Rights Management Services (AD RMS) on your network, you need to delegate
AD RMS management to users that know the business line.
Estimated Time to 60 Minutes

Complete This Lab
Computers used in this

Lab NWTSRV01
NWTSRV02
NWTSRV03
The password for the Administrator account on all computers in this lab is:
Str0ngPassw0rd.
Page 1 of 17
Exercise 1
Manage AD RMS infrastructure
Scenario
Northwind Traders has Active Directory Rights Management Services implemented on your network and you
decide to delegate management of the AD RMS infrastructure to users that know the business requirements about
information protection.
Tasks Detailed Steps

Complete the following b. Log on to NWTSRV01 as NWTRADERS\Administrator with the password
tasks on: Str0ngPassw0rd
c. Open Active Directory Users and Computers
NWTSRV01 d. Expand nwtraders.local, ISD, Groups OU
1. Create AD RMS e. Under Groups OU create the following Universal Security groups:
groups to roles
delegation NWT ADRMS Auditors
NWT ADRMS Enterprise Admins
NWT ADRMS Templates Admins
f. Include the followings users in the respective groups
User Group
Debra NWT ADRMS Auditors
Monica NWT ADRMS Enterprise Admins
Peter NWT ADRMS Templates Admins
g. Close all windows and logoff

2. Delegate AD RMS a. Log on to NWTSVR02 as NWTRADERS\Administrator with the password
rights to different Str0ngPassw0rd.
users. b. From Server Manager, expand Configuration, expand Local Users and Groups.
c. Open the Groups container.
d. Select Groups container
e. In the Groups pane, look for the following Groups:
AD RMS Auditors
AD RMS Enterprise Administrators
AD RMS Template Administrators.
f. Include the following active directory groups in the corresponding local groups.
Local Groups Active Directory Group
ADRMS Auditors NWT ADRMS Auditors
ADRMS Enterprise Administrators NWT ADRMS Enterprise Admins
ADRMS Templates Administrators NWT ADRMS Templates Admins
Note: Non domain administrator users can manage ADRMS. In order to delegate
management responsibilities to these users they would have to logon to the ADRMS
which requires the logon locally right. Since it is not recommended to assign this right
Page 2 of 17
to other users except domain admin we suggest to have these users to run the ADRMS
MMC in a machine different from the SQL or ADRMS Server. In this exercise the user
will run the MMC from the SQL server simulating that is a server used for this
purpose
3. Add AD RMS a. Log on to NWTSVR03 as NWTRADERS\Administrator with the password
Console on an Str0ngPassw0rd.
remote b. Click to Start, Control Panel, Programs and Features on the left pane select
administrator server Turn Windows features on or Off
c. Select Features on the left pane and then click Add Features.
d. Expand Remote Server Administration Tools, Role Administration Tools and
select Active Directory Rights Management Services Tools.
e. Click Next and then click on Install.
f. After the installation has finished, click on Close.
g. Click Start, on the Start Search type mmc
h. Click Ctrl +M and add the AD RMS mmc
i. On the AD RMS console, click on Add Cluster
j. On the Add AD RMS Cluster under Connection protocol select HTTPS
k. Under Connect to select Remote and type adrms.nwtraders.com, click Finish
l. Click on File, Save as and save the AD RMS Console on
C:\users\Public\Desktop
m. Log off
4. Check the Options a. Log on to NWTSVR03 as NWTRADERS\Monica with the password
granted to the users pass@word1.
on AD RMS b. Open the Active Directory Rights Management Services console located on the
Infrastructure. desktop and expand the AD RMS cluster
c. Explore the available options, notice that Monica has full access to the AD RMS
options.
d. Repeat these steps as Debra and notice that she has only access to the Report
Options
e. Repeat these steps as Peter and notice that he has only Template Rights available
f. Log off
Complete the following Note: Now after you delegate manage to Monica, Peter and Debra. They can change
tasks on: different settings based on their new profiles.
Monica needs configure the AD RMS infrastructure to prevent computers with
NWTSRV03 Windows 98 and Millennium can protect information .
5. Excluding Earlier a. Log on to NWTSRV03 as NWTRADERS\Monica with the password
Windows Versions pass@word1.
(Windows 98 and b. Open AD RMS Console located on the desktop.
Millennium)
c. Expand adrms.nwtraders.com in the console tree, expand Exclusion Policies and
then click Windows Versions.
d. In the Actions pane, click Enable Windows Version Exclusion.
e. Look in the Windows Versions window and note the message. Windows 98
Second Edition and Windows Millennium Edition are now excluded
6. Excluding Lockbox a. In the console tree, expand Exclusion Policies and then click Lockbox.
Versions b. In the Actions pane, click Enable Lockbox Exclusion.
Page 3 of 17
c. In the AD RMS Lockbox window, click on Change minimum Lockbox version, type
3.0.3198.15 and click OK
d. Notice that there is now an entry in the Lockbox Version Exclusion
Complete the following Note: CEO of NW Traders decided that Excel 2003 is not allowed to be used to
tasks on: consume and protect information, Monica has been asked to remove excel from the
allowed application for ADRMS
NWTSRV03 a. Log on to NWTCLT02 as NWTRADERS\ Administrator with the password
7. Check application Str0ngPassw0rd.
version b. Open Windows Explorer, and then browse to: C:\Program Files\Microsoft
Office\Office11.
c. Right-click Excel.exe and then click Properties.
d. On the Version tab, write a note of the version number of the executable file (for
example, 11.0.8211.0).
e. Close all open windows and log off of NWTCLT02
8. Excluding Office a. If necessary, log on to NWTSRV03 as NWTRADERS\ Monica with the
Application password pass@word1.
b. Open the AD RMS Services console and expand the AD RMS cluster.
c. In the console tree, expand Exclusion Policies and then click Applications.
d. Right-click over there and click Enable Application Exclusion
e. In the Actions pane, click Exclude Application. The Exclude Application wizard
appears
f. In the Application File name box, type excel.exe.
g. Type the application version of the application on both fields,(11.0.8211.0), and
then click Finish.
h. Check that Excel is now listed as an excluded application.
9. Check if the a. Log on to NWTCLT01 as NWTRADERS\Peter with the password
excluded application pass@word1.
can consume b. Open Microsoft Outlook, and then create a new message addressed to Tom.
protected
c. In the Subject line, type Ratio Analysis.
information
d. Attach the file NW Traders - Ratio Analysis v1.0.xls located on C:\ISDHOL
e. Click on Office Button, Permission, select Do Not Forward and then click Send.
f. On the office popup select OK
g. Switch to NWTCLT02
h. Log on to NWTCLT02 as NWTRADERS\Tom with the password pass@word1.
i. Start Microsoft Office Outlook 2003, and then attempt to open the new message
from Peter and try to open the Excel File.
Note: Note that Tom can consume the protected mail but is unable to open the Excel
file. Notice that the error message warns that her version of Office requires updating.
j. Click OK, and then close all windows.
k. Log off of NWTCLT02.
l. Log on to NWTCLT02 as NWTRADERS\Monica with the password
pass@word1.
m. Switch to NWTSRV03
n. Log on to NWTSRV03 as NWTRADERS\Monica with the password
pass@word1.
Page 4 of 17
o. Open the AD RMS Console and remove the excluded application
p. Switch to NWTCLT02 with Tom's credentials and try to open again the excel file.
Note: Notice that you can consume the file without problems
q. Log off.
Complete the following Note: For security reason Monica has been notified that Tom cannot consume or
tasks on: create protected information temporally. You need to disable the Tom's user only for
the AD RMS platform.
NWTSRV03 a. Log on to NWTSRV03 NWTRADERS\Monica with the password
10. Deny user to use AD pass@word1.
RMS platform b. Open the ADRMS Console
c. Expand NWTSRV02 Exclusion Policies and then click Users.
d. Right-click over Users and click Enable User Exclusion.
e. In the Actions pane, click Exclude user. The Exclude User wizard appears.
f. Select "Use this option for excluding rights account certificates of internal users
who have an Active Directory Domain Services account" option, and then type
tom@nwtraders.com
g. Click Finish.
h. Check that there is now an entry in the exclusion list. Click the Copy link next to
Tom’s public key to copy her public key to the clipboard.
i. Paste the public key into a new Notepad document to see the public key in its
entirety. Close Notepad without saving the document.
11. Check the a. Log on to NWTCLT01 as NWTRADERS\Debra with the password
functionality pass@word1.
b. Open Microsoft Office Outlook.
c. Create a new e-mail message with allusers as the recipient.
d. In the Subject line, type Memorandum.
e. Attach the file NW Traders - Memo v1.0.doc located on C:\ISDHOL.
f. On the Office Button, click the permissions, select Do Not Forward and then
send the message.
g. Log off and Switch to NWTCLT02.
h. Log on to NWTCLT02 as NWTRADERS\Tom with the password pass@word1.
i. Open Microsoft Outlook.
j. Double-click the message from Debra. Notice that Tom is prevented from opening
the message and prompted if you like to use another user to consume information .
k. Log off
12. Remove User a. Switch to the NWTSRV03 as NWTRADERS\Monica with the password
exclusion pass@word1
b. Open Active Directory Rights Management Services console and expand the
AD RMS cluster.
c. In the console tree, expand Exclusion Policies and then click Users.
d. In the User exclusion section, under Excluded users, right click Tom’s User
Account information and select delete
e. Switch back to NWTCLT02.
f. Log on as NWTRADERS\Tom with the password pass@word1.
g. Attempt to open the message from Debra. Observe that Tom is now able to open
Page 5 of 17
the message.
h. Close the open e-mail message.
i. Close Outlook, and then log off.
Complete the following Note: Tom takes vacation and Debra needs to open content protected By Tom, modify
tasks on: it and set a new protection
The CEO authorized the request and Monica must be enabled as Super User. She
NWTSRV01 requested a user group to the Administrator to enable the feature.
13. Create Super User a. On NWTSRV01, log on as NWTRADERS\Administrator with the password
Group
Str0ngPassw0rd.
b. On the Start menu, select All Programs, and then click Microsoft Exchange
Server 2007.
c. Select Exchange Management Console, and if a warning window appears click
OK.
d. Expand Recipient Configuration, select and right click Distribution Group and
then select New Distribution Group…
e. To create a new group, click Next.
f. Select Distribution and type nwtsuperusers in the Name field and then click
Next.
g. Click Next to finalize the creation and then click Finish.
h. Log off
14. Create a protected a. Log on to NWTCLT01 as NWTRADERS\Tom with the password pass@word1.
content b. Open the file NW Traders - Project Status v1.0.ppt located on C:\ISDHOL
c. On Office button, select Prepare and then select Restrict Permissions.
d. Select Restricted Access.
e. In the Permissions window, select the Restrict Permissions to this Document
check box, and click OK.
f. Click on Save
g. Log off from NWTCLT01.
15. Consume protected a. Log on to NWTCLT01 as NWTRADERS\Debra with the password
documents pass@word1.
b. Open the file NW Traders - Project Status v1.0.ppt located on C:\ISDHOL
c. Click OK in the Office popup
d. Notice that you don't have rights to consume this document
e. close PowerPoint and logoff
16. Enable Super Users. a. Log on to NWTSRV03 as NWTRADERS\Monica with the password
pass@word1.
b. Open the Active Directory Rights Management Services console and expand
adrms.nwtraders.com
c. Expand Security Policies.
d. Select Super Users, and in the Actions pane, click Enable Super Users.
e. Click on Change Supers User Group.
f. Click Browse on the Select Groups window type nwtsuperusers and click Check
Names
g. Click Ok twice.
h. Open the Event Viewer, expand Windows Logs and select the Application log
Page 6 of 17
i. Find the event warning with the ID 163
Note: This event appears when the Super User group is enabled, you can me auditing
of this event to send alerts when this group is Enabled
j. Close the AD RMS Management Console.
17. Debra requested Note: Debra needs to open the protected information by Tom because he is on
access to the vacation.
administrator a. Log on to NWTSRV01 as NWTRADERS\Administrator with the password
Str0ngPassw0rd
b. Open Active Directory Users and Computers
c. Expand nwtraders.local, Users and select the nwtsuperusers group
d. Set Debra as a member of nwtsuperuser
e. Close all and Switch to NWTCLT01 as NWTRADERS\Debra with the password
pass@word1
f. Open the file NW Traders - Project Status v1.0.ppt located on C:\ISDHOL
g. Observe the results. As a member of the SuperUsers group, Debra should have an
owner use license enabling her full access to the document.
h. Close Microsoft Word, and then log off from NWTCLT01.
18. Disable Super Users. a. Switch to NWTSRV03,
b. Log on as a Monica
c. Open the Active Directory Rights Management Services console and expand the
AD RMS cluster.
d. Expand Security Policies
e. Click Super Users
f. In the Action pane, select Disable Super User.
g. Close the AD RMS management console.
19. Verify the path for Note: Peter has been assigned the rights to manage and create AD RMS templates.
AD RMS Template The administrator checked the correct rights on the share folder for the templates
on the gpo repository.
a. Log on to NWTSRV01 as NWTRADERS\ Administrator with the password
Str0ngPassw0rd
b. Open Group Policy Manager Console
c. Click on Group Policy Objects, and then right-click the GPO called ISD –
Configuration Settings v1.0 and then select Edit.
d. Expand to User Configuration\Policies\Administrative Templates \Classic
Administrative Templates (ADM)\Microsoft Office 2007 System, Manage
Restricted Permissions.
e. In the details pane, double-click Specify Permission Policy Path, click Enabled,
and verify the following value is set:
\\nwtsrv01.nwtraders.local\ADRMSTemplates as the path. Click OK.
f. Expand to User Configuration\Policies\Administrative Templates \Classic
Administrative Templates (ADM)\Microsoft Office 2003, Manage Restricted
Permissions.
g. In the details pane, double-click Specify Permission Policy Path, click Enabled,
and verify the following value is set:
\\nwtsrv01.nwtraders.local\ADRMSTemplates as the path. Click OK.
h. Close all windows
Page 7 of 17
20. Verify the a. Open Windows Explorer.
permissions on the b. Browse c:\ and right-click over ADRMSTemplates and select Properties
Share Folder of AD
c. On the ADRMSTemplates properties select Sharing Tab and then click on
RMS Templates
Share.
d. Click on Change Sharing Permissions and verify the following permissions
Name Permission Level
Administrator Owner
ADRMSSvc Co-owner
Everyone Reader
e. Click Cancel and Close
21. Create a rights a. Switch to NWTSRV03
policy template. b. Log on to NWTSRV03 as NWTRADERS\ Peter with the password
pass@word1
c. Open AD RMS Console located on the Desktop
d. Expand adrms.nwtraders.com and select Rights Policy Templates
Note: Notice that Peter has Only rights to manage Templates
e. Click on the Create distributed rights policy Template link
f. On the Create distributed rights policy Template window click Add and in the
Template name box, type NW Traders – Vendors Print.
g. In the Template description box, type This Template grant Permission to Print
content to the Vendors Group.
h. Click Add and then click Next.
i. Click on the Add... Button.
j. In the Add users or group field type vendors@nwtraders.com and click OK.
k. Select vendors@nwtraders.com and then enable the following rights:
Print
l. In the Rights request URL field, type mailto:administrator@nwtraders.com.
m. On the Specify Expiration Policy, under Use license expiration select the checkbox
for "Expires after the following duration (days)" and set a value of 5
n. Click Finish
o. Logoff
Page 8 of 17
22. Configure Offline Note: Peter was notified that users with laptops cannot access the templates when
Folders for Rights they aren't connect to the network, Peter notified this situation to the administrator
Policy Templates and they work to resolve the issue
Path for XP a. Log on to NWTSRV01 as NWTRADERS\ Administrator with the password
Str0ngPassw0rd
b. Click on the Start menu, click Run, type gpmc.msc and press Enter
c. Expand the Nwtraders.local node
d. Expand the Domains node.
e. Expand the Nwtraders.local node and then click Group Policy Objects.
f. Right-click on XP – AD RMS Clients and then click Edit
g. In the Group Policy Object Editor, expand the User Configuration node, then
Policies, then Administrative Templates, then Network, then Offline Files, and
then proceed to configure the following information
Setting State
Synchronize all offline files when Enabled
logging on
Action on Server disconnect Enabled, and select Work offline as
the Action
Non-default server disconnect actions Enabled, click on Show, and use the
Add… button to add Name with
\\NWTSRV01.Nwtraders.local
\ADRMSTemplates, and Value with
0
Administratively assigned offline files Enabled, click on Show, and use the
Add… button to add Name with
\\NWTSRV01.Nwtraders.local
\ADRMSTemplates, (DON’T assign
any data to the Value option)
h. Close all windows

23. Check that the a. Log on to NWTCLT02 as NWTRADERS\Monica with the password
templates are pass@word1
available on XP b. Open Microsoft Word
clients
c. Click on the File menu, Permission
d. Notice that you have available the AD RMS Templates.
e. Close Microsoft Word
f. Log Off
g. Log on to NWTCLT02 as NWTRADERS\Administrator with the password
Str0ngPassw0rd
h. Click Star, Control Panel.
i. On the Control Panel click on Network Connections and then Disable the
Internal Network
j. Log Off
Note: This action is to simulate that the computer is not connect to the Network
k. Log on to NWTCLT02 as NWTRADERS\Monica with the password
pass@word1
l. Open Microsoft Word
Page 9 of 17
m. Click on the File menu, Permission
n. Notice that you have available the AD RMS Templates.
Note: The AD RMS Templates are required only to apply rights you don't need the
templates to consume information protected.
o. Log off
p. Enable the Internal network with the Administrator account.
24. Configure Rights a. Log on to NWTCLT01 as NWTRADERS\Administrator with the password
Policy Templates Str0ngPassw0rd
Path for Windows b. On the Start menu, type Task Scheduler, and then press ENTER.
Vista
c. In the Task Scheduler window, expand Task Scheduler Library, then expand
Microsoft, expand Windows and click on Active Directory Rights Management
Services Client.
d. In the details pane, click AD RMS Rights Policy Template Management
(Automated), and then review the schedule task properties.
Note: The AD RMS client requests rights policy templates from the AD RMS cluster by
using a scheduled task, which is configured to query the template distribution pipeline
on the AD RMS cluster. Two scheduled tasks are available on computers running
Windows Vista SP1: one automated and one manual. The automated scheduled task is
configured to run up to one hour after a user logs on to the computer and every
morning at 3:00 A.M., but this scheduled task is disabled by default. You can enable
and change the default configuration by using the Task Scheduler control panel.
e. In the Actions pane, click Enable.
f. In the Actions pane, click Properties.
g. In the AD RMS Rights Policy Template Management (Automated) Properties
dialog box, click the Triggers tab.
h. Click At log on, and then click Edit.
i. In the Delay task for list, click 30 Seconds. Click OK twice.
Note: In the lab environment, you want this task to execute shortly after logon, but
after group policies are enforced on computer. In a production environment, the one
hour delay should work for most implementations, and the settings can be deployed
using Group Policy.
j. Run the Task
k. Close all open windows
l. Reboot NWTCLT01
m. Log on to NWTCLT01 as NWTRADERS\Administrator with the password
n. Browse the following path
C:\Users\Administrator\AppData\Local\Microsoft\DRM\Templates
o. Make sure that you have several xml files (these are AD RMS Templates)
25. Check that the a. Log on to NWTCLT02 as .\ISDUser with the password pass@word1
templates are b. On the Start menu, click on Start Search an type Regedit.exe
available on Vista
c. Open Regedit.exe and set the values for following keys
clients
d. HKLM\Software\Microsoft\MSDRM\ServiceLocation\Activation
Registry Name Type Value
Default Reg_Sz https://adrms.nwtraders.
com/_wmcs/certification
Page 10 of 17
e. HKLM\Software\Microsoft\MSDRM\ServiceLocation\EnterprisePublishing
Default Reg_Sz https://adrms.nwtraders.c
om/_wmcs/licensing
f. HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\DRM
AdminTemplatePath Reg_Expand_Sz %LocalAppData%\Mi
crosoft\DRM\Template
s
g. Close Registry Editor
h. Open Microsoft Word
i. Click on Office Button, Prepare, Restrict Permission and click on Restricted
Access
j. On the Select Service window, click on "Use a Microsoft Windows Account"
and click OK
k. On Window authentication, type NWTRADERS\Debra with the password
pass@word1
l. On the Permission Window click on cancel and close Microsoft Word
m. On the Start menu, type Task Scheduler, and then press ENTER.
n. In the Task Scheduler window, expand Task Scheduler Library, then expand
Microsoft, expand Windows and click on Active Directory Rights Management
Services Client.
o. In the details pane, right-click over AD RMS Rights Policy Template
Management (Manual), click on Run
p. On Window authentication, type NWTRADERS\Debra with the password
pass@word1
q. Browse the following path
c:\Users\ISDUser\Appdata\Local\Microsoft\DRM\Templates in order to confirm
that the template was copied
r. Open Microsoft Word
s. Click on Office Button, Prepare, Restrict Permission.
t. Notice that now you have the AD RMS Templates available to protect
Information.
u. Close all windows and log off
Page 11 of 17
Page 12 of 17
Exercise 2
Configure AD RMS Client Options from Registry
Scenario
Some features must be configured by GPO or registry key, some of the most important are configured on the next
exercise, the complete list of registry and gpo options can be found on the next path
http://technet.microsoft.com/en-us/library/cc179150.aspx

Complete the following a. On NWTCLT01, log on as Monica with the password pass@word1
tasks on: b. Click on the Start menu, on the Start Search type regedit.exe, and then press
ENTER.
NWTSRV01 c. Location:
1. Disable Information HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\DRM
Rights Management
d. Right-click DRM, point to New, and then click DWORD.
Capabilities (By
Registry) e. Type Disable, and then click OK.
f. Double-click the Disable registry entry. In the Value data box type 1
Note: when you enable this value the user loss the ability to use the AD RMS
infrastructure on a specific computer or OU. This item must be set by GPO
g. Open Microsoft Outlook
h. Try to open the Peter's mail
Note: The protected mail is show as attached file and you can not read
i. Close Microsoft Outlook
j. Switch to Registry Editor and set the value for Disable to 0
k. Open Microsoft Outlook and try to open the Peter's Mail
l. Notice that you can read the protected Information
m. Log off
2. Disable Information a. Switch to NWTSRV01
Rights Management b. Log on as NWTraders\Administrator with the password Str0ngPassw0rd
Capabilities (by
c. Open Active Directory Users And Computers under ISD OU create a new OU
GPO)
named Disable IRM and move the Peter account to this OU
d. Open Group Policy Management Console, expand nwtraders.local and select
Group Policy Objects and create a new GPO named IRM - Cfg
e. On the right pane select the new GPO and right-click over there and click on Edit
f. Expand Computer Configuration, Policies and right-click over Administrative
Templates, click on Add/Remove Templates
g. On the Add/Remove Templates click on Add and browse C:\ADRMS\Office
ADM and select Office12.adm click close.
h. Expand User Configuration, Policies, Administrative Templates, Classic
Administrative Templates (ADM), Microsoft Office 2007 system, Manage
Restricted Permissions
i. On the right pane double-click over Disable Information Rights Management
User Interface and click on Enable, click OK
Page 13 of 17
j. Close GP Editor
k. On the Group Policy Management, expand ISD OU, select Disable IRM OU
right click over there and click on Link an Existing GPO, select IRM - Cfg and
click OK
l. On the right pane right-click over IRM - Cfg and click on Enforced, click OK
on the warning window
m. Switch to NWTCLT01
n. Log On as NWTRADERS\Peter with the password pass@word1
o. Open Microsoft Outlook
p. Try to open the Peter's mail
Note: The protected mail is show as attached file and you cannot read
q. Close Microsoft Outlook
r. Switch to NWTSRV01 as Administrator
s. Open Group Policy Management Console, expand nwtraders.local, ISD, Disable
IRM, select the IRM - Cfg, right-click over there and click Edit
t. Modify the value for Disable Information Rights Management User Interface
to Disable
u. Close all windows
v. Switch to NWTCLT01 as Peter
w. click to start, Start search and type gpupdate /force
x. Open Microsoft Outlook and try to consume the Peter's mail notice that you can
consume the mail and have enable all IRM features
y. Log off
3. Disable creation of a. On NWTCLT01, log on as Monica with the password pass@word1
IRM content for b. Open Microsoft Outlook, create a new mail to Peter
Microsoft Office
c. On the Subject field type "Financial Performance" and attach the file NW Traders -
2007 (By Registry)
Financial Performace.ppt
d. Click on the Office button, Permissions, Do Not Forward and Send
e. Log off
f. On NWTCLT01, log on as Peter with the password pass@word1
g. Click on the Start menu, click Run, then type regedit.exe, and then press ENTER.
h. Browse the following path:
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\DRM
i. Right-click DRM, point to New, and then click DWORD.
j. Type DisableCreation, and then click OK.
k. Double-click the DisableCreation registry entry. In the Value data box type 1
Note: DisableCreation is set to 1, then an Enterprise Install will act just like a
Standard install. Users cannot create IRM content or edit the rights on a doc, but they
can consume previously created content.
l. Close the window
m. Open Microsoft Outlook
n. Open the Monica's mail and open the NW Traders - Financial Performance
v1.0.ppt
o. Click on View Permission, and review the Peter's rights
p. Click on Office Button, Prepare and notice that only View permission is available.
Page 14 of 17
q. Close PowerPoint
r. Open the file NW Traders - Ratio Analysis v1.0.xml located on C:\ISDHOL
s. Click on Office Button, Prepare and notice that Permission menu not appear
t. Close all Windows
u. Click on the Start menu, click Run, type regedit.exe, and then press ENTER
v. Browse:
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\DRM
w. Double-click the DisableCreation registry entry. In the Value data box type 0
Note: Users can again create IRM content or edit the rights on a doc
x. Validate that now you have Permission menu on the Office Application
y. Log off
4. Disable creation of a. On NWTSRV01, log on as NWTRADERS\Administrator with the password
IRM content for Str0ngPassw0rd
Microsoft Office b. Click on Start, Run, and type gpmc.msc
2007 (By GPO) c. Expand Nwtraders.local, ISD, Disable IRM
d. Click on Group Policy Objects, and then right-click the GPO called IRM - Cfg
and then select Edit.
e. Click \User Configuration\Policies\AdministrativeTemplates\Classic
Administrative Templates (ADM)\Microsoft Office 2007 system\Manage
Restricted Permissions\Prevent users from changing permissions on rights
managed content , and select Enable
f. Click OK
g. Close any open windows
h. Log Off
i. Switch to NWTCLT01 as Peter
j. Open Microsoft Outlook
k. Open the Monica's mail and open the NW Traders - Financial Performance
v1.0.ppt
l. Click on View Permission, and review the Peter's rights
m. Click on Office Button, Prepare and notice that only View permission is available.
n. Close all windows and Log off
5. Protect information a. Log on to NWTCLT01 as Monica with the password of pass@word1
with AD RMS b. Open the file NW Traders - Balance Sheet with Financial ratios v1.0.xls locate
on C:\ISDHOL
c. Click office button, Prepare, Restrict Permission and then click on Restricted
Access
d. Select Restrict Permission to this workbook, on the read field type
Debra@nwtraders.com and click OK
e. Click on Office button, and select Save as Excel Workbook
f. On the File name type NW Traders - Balance Sheet with Financial Ratios v2.0
and click save
g. Close all windows
h. Log off
Note: For 2007 Office system Office Open XML file formats (for example, docx, xlsx,
pptx, and so on), users can decide to encrypt the Office metadata stored inside a
rights-managed file. Users can encrypt all Office metadata, including hyperlink
references, or leave content unencrypted so other applications can access the data.
Page 15 of 17
6. Encrypt Office a. Log on to NWTCLT01 as Tom with the password of pass@word1
document metadata b. Browse C:\ISDHOL and open NW Traders - Balance Sheet with Financial
Ratios v2.0.xlsx
c. Notice that Tom don't have permission to consume this document
d. Close Microsoft Excel
e. Right-click over NW Traders - Balance Sheet with Financial Ratios v2.0.xlsx,
select Properties and then select Details tab notice that Tom can read who is the
Author and who is the last person that save the document, etc.
f. Close all windows and log off
Note: The Company's security policy establishes that the Metadata information must
be encrypted
g. Log on to NWTSRV01 as NWTRADERS\ Administrator with the password
Str0ngPassw0rd
h. Click on the Start menu, and click Run, then type gpmc.msc, and then press
ENTER.
i. Click on Group Policy Objects, and then right-click the GPO Called ISD –
Configuration Settings v1.0 and then select Edit.
j. Click \User Configuration\Policies\AdministrativeTemplate\Classic
Administrative Templates (ADM)\Microsoft Office 2007 system\Security
Settings\Protect document metadata for rights managed Office Open XML
Files, Click on Display Properties and select Enable
k. Click Ok
l. Close all Windows
m. Log Off
n. Switch to NWTCLT01 as Monica with the password pass@word1
o. Open the file NW Traders - Balance Sheet with Financial ratios v1.0.xls locate
on C:\ISDHOL
p. click on View Permission and add to Peter with read rights
q. Save and logoff
r. Log on as a Tom
s. Right-click over NW Traders - Balance Sheet with Financial Ratios v2.0.xlsx,
select Properties and then select Details tab notice that Tom cannot view the
information before showed.
t. Log off
Page 16 of 17
Exercise 3
Check the AD RMS Reports
Scenario
Debra has the role of the AD RMS auditor, with this rights she must review the AD RMS reports to check the
health and help with the troubleshooting of the platform

Complete the following a. log on to NWTSRV03 as NWTRADERS\ Debra with the password
tasks on: pass@word1
b. Open the Active Directory Rights Management Services console and expand the
NWTSRV03 AD RMS cluster
1. In this task, you will c. Expand Reports.
review the AD RMS Note: Notice that Debra has Reports options only
reports options.
d. Select Statics Reports
Note: This report shows the number of the user of the AD RMS Platform
e. Select System Health, click on Green button and define a day for the report
Note: This report found the number of the request for licenses, the acquire license,
Acquire Template Information etc, the success and fail request
f. On the Action Pane you can request Performance Summary
Note: This report shows the response time for the different Request types
g. Select the Troubleshooting Report
h. On the report input parameter window on the user name type
NWTRADERS\Debra and click on finish
i. With this report you can see the request made by an specific user, if you click on
the different request type you can found a history of the request.
j. Close all Windows.
Page 17 of 17

Managing ADRMSHOLLabv 0

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Managing ADRMSHOLLabv 0

Diunggah oleh

Hak Cipta:

Format Tersedia

Microsoft Virtual Labs

Managing AD RMS HOL Lab v0.3

Managing AD RMS HOL Lab v0.3

Estimated Time to 60 Minutes

Computers used in this

Tasks Detailed Steps

g. Close all windows and logoff

h. Close all windows

Tasks Detailed Steps

Tasks Detailed Steps

Anda mungkin juga menyukai