Recently the project I'm supporting is looking at RMS to provide information rights management (IRM) on some documents. Windows RMS provides two means to let users protect content. First, there is the ad hoc method that lets a user specify what protections they want to put on their content, and what users/groups it applies to. Second, an RMS administrator can configure standard templates (i.e. "Company Confidential") which all users in the enterprise can use. In most organizations both content protection methods have their place.
However, I'm disappointed in how Microsoft implemented these templates. You'd think the RMS client would dynamically query the RMS server for available templates when you want to protect content and present them to the user for selection. However, it's much more brain dead and less dynamic. In Windows XP and Vista RTM, the administrator had to 'manually' copy the XML templates to a special directory on each and very computer for every user. Most used a GPO or logon script. Still a kludge if you ask me.
Starting with Vista SP1 and later, including Windows 7, Microsoft included a scheduled task called "AD RMS Rights Policy Template Management" which discovers the RMS servers in the environment and downloads the templates for each user. It's triggered to run every day at 3AM or at user logon time.
However, the default configuration of this task is brain dead. Under HKCU\Software\Microsoft\MSDRM\TemplateManagement there's a key called "lastUpdatedTime" which gets populated each time the scheduled task runs. There's also another key called "UpdateFrequency" which is set to 30. What does the 30 mean? It will only download templates once every 30 days. Even if you manually run the task it won't touch the RMS servers. The minimum you can set the frequency to is once a day (1). You can, however, delete the "lastupdatedtime" key and it will check the RMS server and re-populate the key.
Also another very important point is to add the RMS FQDN to each user's Local Intranet security zone in IE. If you don't do this then the task won't authenticate to the RMS IIS server and you will get a Last Run Result of (0x8004CF43).
If the task worked the scheduled task probably has a Last Run Result of (0x4CF04). To confirm the templates actually downloaded, go to your profile directory and under C:\Users\%username%\AppData\Local\Microsoft\DRM\Templates you should see one XML document for each template defined in the RMS console. If not, make sure you have invoked a document protection attempt in office so that it discovers your RMS server.
Another annoyance with RMS is that Office isn't smart enough to look in this templates folder by default. NO! Let's make it harder on our admins to get all of this working. Under:
HKCU\Software\Microsoft\Office\14.0\Common\DRM
you need to create a REG_EXPAND_SZ value with a name of AdminTemplatePath with a value of:
%UserProfile%\AppData\Local\Microsoft\DRM\Templates
Why Microsoft needs to make this so difficult is beyond me. Personally I think the embedded RMS client should make a dynamic web services call to the RMS server when a user wants to protect content, get the latest templates, and cache them locally. Office needs to look at the default template location too. Also remember the scheduled task is NOT enabled by default. So if your organization is going to use RMS, you need to configure a GPO or script to enable the task on all Vista SP1 and later clients. If you are going to use Remote Desktop Services (RDS) or XenApp, enable the scheduled task on your servers.
I feel your pain with template deployment, but wanted to add two comments that might clarify some of the issues you are having.
ReplyDelete1) the problem with having to wait 30 days to download the templates is not such if you run the OTHER pre-programmed task in Windows 7 and Windows Vista SP1 (called AD RMS Rights Policy Template Management (Manual) as opposed to AD RMS Rights Policy Template Management (Automated)). That one will download files immediately regardless of them having changed or not. The other task you tries is designed to be run automatically to keep the templated "fresh", not to be run manually as you tried.
2) It doesn't matter to the client if the templates definitions have changed or not in the server, the template will work anyway since it is only the template description that will get downloaded to the client. The policy will be applied by the server and not at the client so if rights changed clients are fine even with the older version of the template file. Only if you add and remove templates or if you change their names it is important that the client gets an update. And you shouldn't need to change that sort of thing frequently. In fact it is advised that you don't change them more than every few YEARS, or users might get confused. It is like changing where options are in the Office menus, you don't want to do it unless strictly necessary.
HTH.