Hi,

I am just studying AD RMS and reading the article https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj134037(v%3dws.11) . I just wonder if someone has read-permission on the document\\SQL1\Public\ADRMS-TST.docx try to send the document to an external mailbox owned by a person outside the company. Then will the owner of the mailbox be able to receive the document and open/modify/print it without restrictions? If yes, then that will be a hole of the AD RMS.

Thanks

Hi,

I am studying AD RMS. Based on https://en.wikipedia.org/wiki/Active_Directory_Rights_Management_Services and the Test Lab Guide https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj134037(v%3dws.11) . It seems that AD RMS can only protect specific types of files, such as Office documents, etc.. For other file types, such as plain text files, C++ files(.cpp & .h), AD RMS cannot protect them. Is there a way to enable AD RMS to protect all kinds of files? Or at least encrypt all kinds of files so that if they are copied out of the company Intranet, they are kept encrypted and cannot be read.

Thanks

Dear All,

I am new to ADRMS. our requirement is only to protect documents

when we tried to create custom templates its asking for user or group email address. since we don't have any on-premise or office365 mailing solution how we can publish custom templates for group of users?

Thanks,

Shashidhar.

I currently have have an existing fully functional AD RMS environment 2008. I would like to build a parallel AD RMS environment  in order to test the upgrade. I am concerned that if I build a separate cluster, it may take over our current production or hinder the user's experience. 

Can we have 2 SCP?

We do not have a separate AD environment where we can fully test.

Has any one build a test AD RMS environment with an AD forest that host a production one?

Thanks.

Microsoft document doesn't say AD RMS support SQL server 2017. Does it support?



1. Facing an error, when trying to open shared word 2013 protected file by AdRms server...

2. After running analyser, getting this results....  

3. After trying fix it from Analyser getting this result for Bootstrap the MSDRM Client...

4. After trying fix it from Analyser getting this error for Update RMS settings for MS Office 2013...

5. After trying to run Analyser on AdRms Server, getting this results...

6. Getting this result when open perform group memberships checks...

7. Getting this result when open acquire a license..

Can anyone suggest me where I am making mistake, all replies will be appreciable. 

We have forest A with users accounts and forest B with Exchange installed. Using linked mailbox for this topology.

Now we'd like to deploy AD RMS in forest A (users accounts) - could it be worked with email protection of Exchange (forest B)?

Could you share link-guide to achieve it, perhaps step-by-step?

Thank you!

I have created RMS template and published to user to use with MS outlook.

Scenario:

1) User A send RMS email to User B

2) User B reply this email to User A and modify User A's email content.

3) User A and User B cannot read the email that also shown weird characters.

Is it known behavior? Any MS knowledge base to state it?

Hi,

We use RMS to apply policy templates to files automatically, but the majority of users simply cannot access files with these policies applied. The policies applied provide access for 2 mail-enabled universal security groups; however members of this group cannot access the files.

I ran the RMS Analyzer tool, the diagnostics all came back green; but when I test for group membership using it, it cannot seem to tell if users are in or out of the group. Most users have been in this security group for years, so why does RMS tell me that they are not in it?

How can I tell which users RMS thinks are in that group; and when I add / remove people and then wait a day for replication, why do I still get the same response.

Any advice would be much appreciated as I am kinda out of ideas right now.

Dave

Hello,

We are using AD RMS (on premise) with Exchange 2013.

We would like to protect some emails with an AD RMS template that generate a rule "on the fly" and let only recipient decrypt the message.

The default "do not forward" template is fine but we would like a rule more permissive that only protect mail with AD RMS, without no restrictions. It's not possible to create an AD RMS template for each employee, it could become a big mess.

Do you have any suggestions ? It seems that the standard "do not forward" template could not be modified or duplicated.

Thanks in advance for any ideas :)

Best regards

Gabriel

Greetings,

We are faced with a pressing need to publish a document with AD RMS protection + Sharepoint. It works well and the documents are protected, however the users who have never opened the document before are greeted with the configuration message

"To create and consume content with restricted access, this application must connect  to one of the following URL(s)"  etc "to verify your credentials and download content policies and permissions."

Clicking works.

However, the message itself usually pops up behind all the windows, making the users wait without being prompted that it has appeared. Therefore it seems that the document failed to load.

I have tried reading the documentation but the closest I have found this this:

https://docs.microsoft.com/en-us/azure/information-protection/install-configure-rms-connector#installing-the-rms-connector

and

https://docs.microsoft.com/en-us/azure/information-protection/rms-client/client-deployment-notes

Is there a way to remotely configure the settings so that the application bypasses the little window that pops up? (Single sign on of sorts) Or to find a way for the window to open up in front of everything?

Thank you in advance,

I configure my Windows Server 2012 R2 AD RMS with SQL mirroing solution following this document. http://social.technet.microsoft.com/wiki/contents/articles/14977.test-lab-guide-configuring-ad-rms-with-sql-mirroring-in-windows-server-2012.aspx

Logging configuration shown in below:

Logging Server: data source=Server01;failover partner=Server02;initial catalog=DRMS_Logging_adrms_dc1_dc2_dc3_dc4_443

Logging Database: DRMS_Logging_adrms_dc1_dc2_dc3_dc4_443

When SQL principle server is set on Server02, everything is working fine, but once the SQL principle set to Server01, new user is not able to create/open encrypted email. Event Viewer shows:

SQL server log shows AD RMS is trying to write log to mirroring Database Server - Server02 with below error:

Database mirroring is active with database 'DRMS_Logging_adrms_dc1_dc2_dc3_dc4_443' as the mirror copy. This is an informational message only. No user action is required.
Login failed for user 'domain\admin'. Reason: Failed to open the explicitly specified database 'DRMS_Logging_adrms_dc1_dc2_dc3_dc4_443'. [CLIENT: 10.78.110.40]

Can any RMS/SQL expert tell me why my AD RMS did not keep trying when saving log to mirroring server Server02 failed?  

Jason

I have a Button in my GUI that is supposed to write Text in a Textbox. The Problem is that the Button is replacing existing text what is only supposed to happen when there is no "@" in the Textbox. This is what my code looks like

Function SendAs
{
	$SAUser = Get-ADUser -Filter * |Out-GridView -Passthru
	$Axel = "Stoll"
	$Userarray = @()
	Foreach ($user in $SAUser){$Userarray  += ('@{0}' -f $user.SamAccountName)}
	$saustext = $userarray -join " "
	if($txtAccName.text -notcontains "@")
	{$txtAccName.text = $saustext}
	else 
	{$txtAccName.text += $txtAccname.text + $saustext}
}

Sorry, i cannot find document about migration from 2008 to 2016, want to confirm before I move.

Background

1. Existing Database on SQL 2008
2. URL have CNAME already

Question

1. the DB is 2008 is it ok? also at that time , user cannot use?
2. how to remove the old windows 2008 server in cluster?
3. Should I move the DB first or migrate the RMS first? The new DB server will be have AG group?

We are looking at managing our password store in IE11 through group policies. Where can this be done in group policy editor ?

I can be done for Edge, managed in Group Policy Manager Editor under Windows Components, Microsoft Edge, Configure Password Manager but I can't find anything like this for IE11

We're using NetIQ's SecureLogin at the moment and want to get rid of it as the only thing it's now managing is the users password store. One less application for desktop's to support, so if it's already built into the O/S why keep it.

Any help would be grateful.

Hi, guys! I have two forest blue.local and green.local, both on Windows 2016. In both forest i deployed AD RMS cluster and created TPD. I created word and excel documents with RMS protection in the blue.local domain. If i tried open this documents in green.local domain i get error "the application received an unexpected response from the rights management server due to misconfiguration or a server errror"

Hello,

I have read the Product Use Rights from A to Z, I have searched the web everywhere, I have asked the Microsoft Partner Support and some local Microsoftees and I cannot find a single rule about AD RMS Licensing!

All I found is that AD RMS is an additive CAL to Windows Server. That means it is an additionnal product and does'nt have to be company-wide. Which means we need some rules to decide whether a user/device needs a CAL or not. But there isn't any!

Well to be honest, there is one rule, applying to Windows Server Essentials, a product I have never seen in production with AD RMS personnally...

Even if we assume it is a mistake and that "Windows Server Essentials" rule applies to Windows Server Standard and Datacenter, the licensing headache goes further ahead with AD RMS-aware applications. Like Microsoft Office or Microsoft Exchange.

Licensing AD RMS with Office is somewhat covered by some TechNet articles, where we can guess that only the users/devices creating protected documents need Office Pro Plus licenses when readers/reviewers can use Office Standard or Office Web Apps. Still, nothing is said about the undelying AD RMS CALs. Who needs some? Users creating, probably. But what about the others?

Licensing AD RMS with Exchange is much less documented, as I can only find a table saying some IPM features require the Exchange Enterprise CAL. But who needs the Enterprise CAL? The users creating the protected messages in Outlook? The users creating the tranport rules in Exchange? All the users reading the protected messages? And again, nothing is said about the underlying AD RMS CALs.

Any help on those licensing topics would be much appreciated.

Thank you.

Gilles Messinger

SAM Consultant

Installed AD RMS on Windows 2016, the computer it is installed on is a DC.

3rd Party Certificate is installed and used for the service, it is also a wildcard.

I am able to get into the AD RMS Admin tool if I am on the machine it is installed, but not remotely. Gives 401 Unauthorized. Have AD RMS configured to use SSL, IIS has bindings for 80 and 443. 

  IIS Log:

POST /_wmcs/admin/RoleMgr.asmx - 443 - <IP> Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.42000) - 401 2 5 140

POST /_wmcs/admin/RoleMgr.asmx - 443 <UserName> 10.4.6.40 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.42000) - 401 5 0 640

When I run Test-IRMConfiguration on the Exchange 2016 server I get the following.

[PS] C:\Windows\system32>Test-IRMConfiguration -Sender <EMail Address>


Results: Checking Exchange Server ...
              - PASS: Exchange Server is running in Enterprise.
          Loading IRM configuration ...
              - PASS: IRM configuration loaded successfully.
          Retrieving RMS Certification Uri ...
              - PASS: RMS Certification Uri: https://adrms.sccmha.org/_wmcs/certification.
          Verifying RMS version for https://adrms.sccmha.org/_wmcs/certification ...
              - PASS: RMS Version verified successfully.
          Retrieving RMS Publishing Uri ...
              - PASS: RMS Publishing Uri: https://adrms.sccmha.org/_wmcs/licensing.
          Acquiring Rights Account Certificate (RAC) and Client Licensor Certificate (CLC) ...
              - FAIL: Failed to acquire a Rights Account Certificate (RAC) and/or a Client Licensor Certificate (CLC). This failure may cause features such as Transport Decryption, Transport Protection Rules, Journal Report Decryption,
          IRM in Outlook Web App, IRM in Exchange ActiveSync, and IRM Search to not work. Make sure that the Exchange Servers Group is granted "Read" and "Read & Execute" rights on the ServerCertification.asmx and Publish.asmx
          pipelines on your AD RMS server. For details, see "Set Permissions on the AD RMS Certification Pipeline" at  http://go.microsoft.com/fwlink/?LinkId=186951.
          ----------------------------------------
          Microsoft.Exchange.Security.RightsManagement.RightsManagementException: Failed to acquire server box RAC from https://adrms.sccmha.org/_wmcs/certification/servercertification.asmx. --->
          System.Web.Services.Protocols.SoapException: System.Web.Services.Protocols.SoapException: Exception of type 'System.Web.Services.Protocols.SoapException' was thrown. ---> System.UnauthorizedAccessException: Exception of type
          'System.UnauthorizedAccessException' was thrown.
             --- End of inner exception stack trace ---
             at Microsoft.DigitalRightsManagement.Certification.BaseCertificationWebService.Certify(CAType caType, CertifyParams requestParameters)
             at Microsoft.DigitalRightsManagement.Certification.ServerCertificationWebService.Certify(CertifyParams requestParams)
             at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
             at System.Web.Services.Protocols.SoapHttpClientProtocol.EndInvoke(IAsyncResult asyncResult)
             at Microsoft.Exchange.Security.RightsManagement.SOAP.ServerCertification.ServerCertificationWS.EndCertify(IAsyncResult asyncResult)
             at Microsoft.Exchange.Security.RightsManagement.ServerCertificationWSManager.EndAcquireRac(IAsyncResult asyncResult)
             --- End of inner exception stack trace ---
             at Microsoft.Exchange.Data.Storage.RightsManagement.RmsClientManager.EndAcquireInternalOrganizationRACAndCLC(IAsyncResult asyncResult)
             at Microsoft.Exchange.Management.RightsManagement.IRMConfigurationValidator.TryGetRacAndClc()
          ----------------------------------------

          OVERALL RESULT: FAIL

Exchange can access and get the templates created.

[PS] C:\Windows\system32>Get-RMSTemplate

Name           Description                                                                      TemplateGuid
----           -----------                                                                      ------------

Confidential   Recipients can only view this message.                                            4dc13322-1317-414b-9dc5-23def7b9f535

Do Not Forward Recipients can read this message, but they can't forward, print, or copy content. cf5cf348-a8d7-40d5-91ef-a600b88a395d

  IS Log:

POST /_wmcs/certification/ServiceLocator.asmx - 443 - <IP> Windows+Rights+Management+Client - 401 2 5 0

POST /_wmcs/certification/server.asmx - 443 - <IP> Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.42000) - 200 0 0 0

POST /_wmcs/certification/servercertification.asmx - 443 - <IP> Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.42000) - 500 0 0 15

ServerCertification.asmx and Server.asmx have Anonymous and Windows Authentiction, ServiceLocator.asmx just has Windows Authentication enabled.

In the Certification folder:

Server.asmx and ServiceLocator.asmx has System (FC), AD RMS Service Group (R&E, R), Administrators [Domain] (FC), and Users [Domain] (R&E, R) for NTFS permissions.

ServerCertification.asmx has System (FC), AD RMS Service Group (R&E, R), SharePoint Service Account (R&E, R), Exchange Servers (R&E, R), Administrators [Domain] (FC), and Users [Domain] (R&E, R) for NTFS permissions.

In the Licensing folder:

Publish.asmx has System (FC), AD RMS Service Group (R&E, R), Exchange Servers (R&E, R), Administrators [Domain] (FC), and Users [Domain] (R&E, R) for NTFS permissions.

When I try to RMS from Outlook or another Office program to protect it ... it will first want to connect and get templates, once clicking on this it will ask for Username / Password. If given it will continue to ask for the information until you hit cancel. The process will lock out the account as well if done enough.

IIS Logs:

POST /_wmcs/certification/ServiceLocator.asmx - 443 - <IP> MSIPC;version=1.0.2456.0;AppName=OUTLOOK.EXE;AppVersion=16.0.4756.1001;AppArch=amd64;PID=7244;OSName=Windows;OSVersion=10.0.14393;OSArch=amd64 - 401 2 5 0

POST /_wmcs/certification/ServiceLocator.asmx - 443 - <IP> MSIPC;version=1.0.2456.0;AppName=OUTLOOK.EXE;AppVersion=16.0.4756.1001;AppArch=amd64;PID=7244;OSName=Windows;OSVersion=10.0.14393;OSArch=amd64 - 401 2 5 15

GET /_wmcs/certification/ServiceLocator.asmx - 443 - <IP> MSIPC;version=1.0.2456.0;AppName=WINWORD.EXE;AppVersion=16.0.4756.1000;AppArch=amd64;PID=9244;OSName=Windows;OSVersion=10.0.14393;OSArch=amd64 - 401 2 5 0

POST /_wmcs/certification/ServiceLocator.asmx - 443 - <IP> MSIPC;version=1.0.2456.0;AppName=WINWORD.EXE;AppVersion=16.0.4756.1000;AppArch=amd64;PID=9244;OSName=Windows;OSVersion=10.0.14393;OSArch=amd64 - 401 2 5 0

POST /_wmcs/certification/ServiceLocator.asmx - 443 - <IP> MSIPC;version=1.0.2456.0;AppName=WINWORD.EXE;AppVersion=16.0.4756.1000;AppArch=amd64;PID=9244;OSName=Windows;OSVersion=10.0.14393;OSArch=amd64 - 401 2 5 0

POST /_wmcs/certification/ServiceLocator.asmx - 443 - <IP> MSIPC;version=1.0.2456.0;AppName=WINWORD.EXE;AppVersion=16.0.4756.1000;AppArch=amd64;PID=9244;OSName=Windows;OSVersion=10.0.14393;OSArch=amd64 - 401 2 5 0

Have ran the RMSAnalyzer as RMS Admin, for active address it reads it from AD, when I select it the program will detect and auto populate the General Information and Service Endpoints (Internal, External, and Group). It will pass SCP is registered and get Templates from RMS, however it fails on perform group membership checks.

On the client machine that requests RMS it looks as if the Machine cert will be processed as the CERT-Machine.drm and CERT-Machine-2048.drm are present but not the RAC or CLC (i presume they should be there from the research I have done).

I believe this is a permissions issue somewhere but I can find out where. From all the information I have read on this, the permissions are what they should be and it somewhat works, but not fully.

Any assistance with this would be very helpful.

Hi there,
I am not sure whether this is the right place to ask this question. If this is not the correct place, please guide me and I shall post this there.
I got a strange requirement as part of a recent project that our company is involved with. The project involves sensitive information and hence the data is restricted to only the team members involved in the project. We have a network share, and the NTFS and Share permissions have been secured to allow only the members of an active directory security group (this security group has all the project members).
The members of this security group can Create / Modify / Delete files & subfolders inside the folder. 
The real requirement now is to stop these users from doing the following activities.

1. Copy the files from this folder or subfolders to another location
2. Restrict users from opening the word document (or any other type of document), use 'Save As' function to save it to a different location
3. Open the word document (or any other type of document), copy the contents to a new document. 
   Basically, we need to avoid stealing of data.

Is there a way of achieving this requirement? Any help / guidance towards achieving this is fine. I can research more on that and come to a conclusion. Thanks for your suggestions / help on this.