Hello, I recently posted this question in both the Azure and Office 365 forums and was referred here. We are currently using Office 365 and have enabled E3 licenses to use IRM in Office through Azure. We would like to encrypt a lot of documents using the AD RMS Bulk Encryption tool, however it requires an RMS template. Azure provides two (Confidential, and Confidential Read-only). These work using the tool, but when I try to modify the XML to customize the templates it breaks them and since I don't have access to the AD RMS MMC I cannot generate my own. Does anyone know how I can make this work?
↧
Azure RMS Templates
↧
Report User Access
Hi,
Which DB and table I can query to see last user access to the RMS server or using RMS functionality ?
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Krisna Ismayanto | My blogs: Krisna Ismayanto | Twitter:@ikrisna
↧
↧
Account Lockout policy not working-Server 2012 R2 Standers..
Hi All,
We have facing the accounts policy issue in server 2012 R2 ( GPO) since past one and half months, before it was working fine, this changes happen all of sudden without any changes. Details as follows..
1. We are trying to implement accounts policy for users and requirements is as following.
a. Accounts should be locked after three wrong password attempt.
b. once accounts locked, only Administrator should be able to unlocked the accounts, till then it should be remain locked.
when we placed the 0 (zero) under " Default domain policy- accounts lock out policy-- lockout duration", all the users are locking automatically. when we unlocked after one minute its getting locked again automatically.
We put the value as following.
lockout duration 0 ( when we place zero here it's not applying as per the policy defined by Microsoft.)
Accounts lockout threshold 3
Reset account lockout counter after 99,999 ( we tried different option here like 1, 20, 30 etc. still facing problem.)
When we placed the numbers 1 through 99,999 its working fine but it's unlocking automatically certain period of time, which customer don't want, they want only it should be unlocked by administrator.
↧
How to export email address from AD to excel file
Dear all,
Please help me how to export email address from AD to excel file by script.
Best regards,
Hung Viet
↧
Active Directory with DOD CAC Card
We had originally planned to bind our Java web application to active directory this fall. However, our client who is with the US department of defense has told us we may have to implement the DOD CAC card to authenticate against our web application.
Our only reason for using Active Directory was to take advantage of the password rules baked into the system and to allow our users the ability to reset their own passwords. However, now that we may have to authenticate using a CAC card, I am wondering if
there is any reason to deploy Active Directory. Users will no longer require resetting their password. I don't have to worry about the password rules.
Doesn't the CAC card do the authentication? Could we store the user's profile in a database table? (That is what we are doing today.
I will highly appreciate any comments or suggestions on what I should do. Thank you in advance!
↧
↧
AD RMS Logging Can't be Enabled
I configure my Windows Server 2012 R2 AD RMS with SQL mirroing solution following this document. http://social.technet.microsoft.com/wiki/contents/articles/14977.test-lab-guide-configuring-ad-rms-with-sql-mirroring-in-windows-server-2012.aspx
Logging configuration shown in below:
Logging Server: data source=Server01;failover partner=Server02;initial catalog=DRMS_Logging_adrms_dc1_dc2_dc3_dc4_443
Logging Database: DRMS_Logging_adrms_dc1_dc2_dc3_dc4_443
When SQL principle server is set on Server02, everything is working fine, but once the SQL principle set to Server01, new user is not able to create/open encrypted email. Event Viewer shows:
SQL server log shows AD RMS is trying to write log to mirroring Database Server - Server02 with below error:
Database mirroring is active with database 'DRMS_Logging_adrms_dc1_dc2_dc3_dc4_443' as the mirror copy. This is an informational message only. No user action is required.
Login failed for user 'domain\admin'. Reason: Failed to open the explicitly specified database 'DRMS_Logging_adrms_dc1_dc2_dc3_dc4_443'. [CLIENT: 10.78.110.40]
Can any RMS/SQL expert tell me why my AD RMS did not keep trying when saving log to mirroring server Server02 failed?
Jason
↧
How to know who is the protected document owner
Is there a way allow user to identify the AD RMS protected document owner so that user knows whom he/she supposes to ask for more right?
Jason
↧
RMS client error: This service is temporarily unavailable
If users try to consume the document he is getting this error. But if he protect document and then try to consume already protected document, he is able to access it with restricted permission. I did run IRM check, no error. Need help.
↧
IRM and Exchange 2013 OWA
Outlook (2010 SP2) and OWA (Exchange 2013 CU6) have different behavior when viewing a message secured with AD RMS.
I have enabled IRM successfully for internal use. I've set a test policy that allows messages to only be viewed for one day. After one day, viewing secured messages via Outlook is blocked as expected. The issue is when I view the message via OWA, I can see the body content. The content is not protected, only attachments are protected.
A message that is intended to be protected but without attachments can be viewed via OWA even if it has been set to expire. Viewing the same message in Outlook is prohibited, as it should be.
I have enabled IRM successfully for internal use. I've set a test policy that allows messages to only be viewed for one day. After one day, viewing secured messages via Outlook is blocked as expected. The issue is when I view the message via OWA, I can see the body content. The content is not protected, only attachments are protected.
A message that is intended to be protected but without attachments can be viewed via OWA even if it has been set to expire. Viewing the same message in Outlook is prohibited, as it should be.
I tried to open a thread in the Exchange forum but they said that it is a RMS issue and that you guys would know what to do.
http://social.technet.microsoft.com/Forums/en-US/6b253c68-956c-43ef-a071-0b76e537ef56/owa-and-irm?forum=exchangesvrclients
Please help!
↧
↧
Office 2013 and RMS restrict permission
Hi,
I want to restrict Access/modify/view access to documents for some users, and I'm able to do this with Word 2010, but not with Word 2013.
When I try to restrict access using "restrict Editing" under file information I got the this error:
"We were not able to find the information Rights Management Template. Please contact your administrator."
Then I use Rights Protected Folder and things worked fine with me as shown below.
And my question is how to use RMS with Office 2013 without the plugin?
Note: Templates are shown in Office 2013 normally and it is updated
↧
Azure RMS and Cache
I am trying to make protected documents available to some users via Azure RMS. Within the templates, there is an option called Offline Settings and its configured to "Content is available only with an Internet connection".
Background:
When I open the file in Office 2010 or Office 2010, the user is prompted to login (good) and the credentials are cached.
If the internet connection is unavailable, both Office 2010 or Office 2013 does not open the document (good).
For the next 8 hours, Office 2013 will not prompt for authentication as its cached (acceptable/good).
The problem is that Office 2010 seems to cache the credentials forever. Meaning that if a employee is suspended, they still have access to the document. Any ideas?
↧
When printing a AD RMS protected email (Exchange IRM), can have the description of the AD RMS template policy print as well ?
Greetings,
I noticed when I get an email which is AD RMS protected (e.g. read only ) but I am given the permission to print, I will like to have the AD RMS policy template description to print as well.
This description is the one that shows up at the top of the email when reading a AD RMS protected email.
Thanks
Sarbjit Gill
↧
ADRMS::- Clients are not able to open document which permission were restricted by using ADRMS!
Infrastructure:- (i) One Sql Server 2005 running on Windows server 2003 SP2 for RMS Database Storage.
(ii) ADDC & ADCS (no web enrollment) running on Windows server 2003 SP2. (FFL & DFL set to 2003)
(iii) ADRMS Running on Windows Server 2008.
(iv) Clients are using either Windows 7 with Office2010 pro or Windows 8 with Office 2013.
Question: Users are able to connect ADRMS Server and restrict permission to their documents without any issue. BUT CANNOT open the restricted document even by the owner/administrator. Whenever they try to open restricted docs a message appears " Cannot configure your computer for Information Right Management at this time. Contact your administrator if this problem continues. "
I checked > 'rms.company.com' is added to local intranet site using IE.
So far I think clients computers are not able to retrieve the rms url.
Kindly, suggest how should I approach to the solution.
NB:- I am new to ADRMS.
↧
↧
Functional Level 2012 R2 with ADRMS SP1
Hi!
My Enterprise wants to know if this supported ADRMS SP1 to continue operating if the client update your AD DS environment with AD DS Windows Server domain controllers 2012 R2 and raise the functional level of the domain and the forest from 2003 to 2012 R2.
Have a Link about of.
↧
no "Trust Windows Live ID" in Action Pane
Hi Expert,
Environment: Windows Server 2012 R2 ADRMS Cluster (2 servers) + 1 database server.
I followed this article: http://technet.microsoft.com/en-us/library/cc753056.aspx
But I cannot find "Trust Windows Live ID" in Actions pane, any tips for this? Thanks in advance.
To trust Windows Live ID-based rights account certificates
Log on to a server in the AD RMS cluster.
Open the Active Directory Rights Management Services console and expand the AD RMS cluster.
In the console tree, expand Trust Policies , and then click Trusted User Domains .
In the Actions pane, click Trust Windows Live ID . The Windows Live ID certificate appears in the Trusted user domain list in the results pane.
amoschb
↧
ADRMS Error: AD RMS setup could not validate the SQL server specified. Verify permissions and connectivity to SQL Server. Setup cannot connect to the specified database server because the server or instance name specified is invalid. The target principal
I keep getting this error when trying to connect my ADRMS server to SQL (for initial configuration). I just connected sharepoint pretty recently and it is functioning (the SQL server seems to be working fine with sharepoint). Any clue where to go from here (I have tried removing ADRMSADMIN and then recreating the user). The user is a local admin on SQL server and has dbcreator, securityadmin checked in SQL manager. What am I missing? Why wouldn't AD be able to verify? Error is as follows:
AD RMS setup could not validate the SQL server specified. Verify permissions and connectivity to SQL Server. Setup cannot connect to the specified database server because the server or instance name specified is invalid.The target principal name is incorrect. Cannot generate SSPI context.
↧
Un-joining server (2012) from old domain; when joined to new domain, AD accounts unable to log in
Hey everyone; I am hoping someone might be able to help out. We are currently working on upgrading our domain controllers as well as creating a new domain. Our old domain is "example.com" and the new domain is "ad.example.com." I have also created a parallel environment in AD so the user objects, groups and OUs are identical in new and old as far as names (I did not migrate SID-history).
So now, I want to unjoin a server in our development-environment and re-join to the new domain. I am able to successfully join 'ad.example.com' (new domain) and log in using the local admin account. General functionality seems fine with local accounts. However if I try to log in with my domain account, my domain-admin account, or any test accounts on the domain "ad.example.com" it is hanging on: "Please wait for User Profile Service" - after a minute of spinning, it times out and boots me from my attempted RDP session with the error: "The User Profile Service failed the sign-in. User profile cannot be loaded" . Meaning there doesn't seem to be network issues, the server is acknowledging my request but it does not log me in.
Here is the snippet from Event Viewer regarding the error:
Product Name: Microsoft Windows Operating System
Product Vers: 6.2.9200.16384
Event ID: 1500
Event Source: Microsoft-Windows-User Profiles Service
Locale ID: 1033
General: Windows cannot log you on because your profile cannot be loaded. Check that you are connected to the network, and that your network is functioning correctly.
DETAIL - Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
I have attempted multiple restarts of the machine, joined and unjoined to the domain, explicity added user accounts to the remote access security group. In all, I am not exactly sure where to go from here, so if anyone had any advice it would be very much appreciated.
-Ryan S
↧
↧
Quest report on users
Hello,
I need to add a list of users to a share security but I would like to do it by a Group added instead of having all users listed one by one. I would like before creating a new group to confirm if there is a common group between all these users already... ( I am using QUEST Software)
I am trying to list all Groups a list of users are "Member of"..
I started with:
Get-QADGroup -ContainsMember '<<UserName>>'| Export-Csv 'Share.csv'
But this is not displaying the user name... and there are too many fields/columns in it... also I would like to do the command at once so something like:
Get-QADGroup -ContainsMember 'User1, User2,...' | Select-object 'name', 'type', 'dn', 'Memberof' | export-csv 'Share.csv
I need the user name and the group name for each users.. something like...
user1 group1
user1 group2
user1 group3
...
user2 group2
user2 group5
....
user3 group3
...
second try...
Get-QADUser | Where-Object name -in -Value "user1", "User2", ... | Select-Object "name", "MemberOf" | Export-Csv "Shareusers.csv"
third try:
Get-QADUser 'Duchemin, Dominique' | Select-Object -expand memberof
You must provide a value expression on the right-hand side of the '-' operator. At line:1 char:38+ Get-QADUser | Where-Object ($_.name - <<<< in -Value "User1", "User2","User3", | Select-Object -expand memberof+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException+ FullyQualifiedErrorId : ExpectedValueExpression
still in progress
any idea?
Thanks,
DOm
System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager
↧
On premises ADRMS and exch online services
Hello,
I do have on premises ADRMS cluster (win 2008R2) and office 365 services. ( exch online, no hybrid
When I send a protected document directly to a user e-mail, he can open it but if I send it exchange DL, users are not able to open them,
I can see TPD file needs to be imported to 365, is this the correct solution I should go with:
http://technet.microsoft.com/en-us/library/dn151477(v=exchg.150).aspx
Thanks in Advance
↧
Special Permissions for AD User Group on Share Subfolders
Using Server 2012 R2, Windows 8.1
Given \\Share\, with subfolders 1, 2, 3, I would like to allow an AD User Group Modify permission for subfolders and files to 1, 2, 3 yet preclude Delete of same host (parent) folders 1, 2, 3.
I have already tried dual permissions, where the first allows Modify for subfolders and files, and the second precludes Delete of This Folder (I've even tried explicit Deny for Delete on This Folder), with no success.
This suggests to me (and I could be wrong), that I've incorrectly set the permissions for \\Share\, but I cannot seem to isolate the issue... Any help would be greatly appreciated.
Cheers
Potential has a shelf life - Margaret Atwood
↧