AD RMS Configuration Step by Step

 

Active Directory Rights Management Services (AD RMS)

Since AD RMS provides digital data protection from unauthorized users by using rights policy templates for both data at rest on a file system or data in transit, for instance through an email message; this lab-purpose is to ensure such a working AD RMS infrastructure in a test environment. AD RMS can work only with AD RMS-aware-applications like Microsoft Office, Microsoft 365 apps, Microsoft Outlook, Azure, and so on. The document author defines a set of usage rights and then distributes the file via share, via email, via SharePoint site, or any other possible method among the authorized users or clients. It is to mention that if you are not an authorized user for a specific document, you will not be allowed to open it even after being a user from the same network or organization. You also cannot open this document as a user outside the network unless AD RMS is configured in conjunction with ADFS.  

In this case, you may receive one of the following messages.

User inside the network

User outside the network

 

Scenario:

As the IT administrator of your organization, you have been told to configure an AD RMS with a service account and two user accounts along with a set of rights for individual user accounts; RMSUser1 with full control rights and RMSUser2 with view rights only. How should you configure an AD RMS considering the given scenario?

Following are the requirements for this specific test-lab as per the given scenario:

A Domain Controller to manage our user accounts and get access to the resources & a DC-Member (any AD RMS compatible application like MS Word is installed in the DC-member or Client Machine for testing purposes)

It is suggested to install AD RMS outside your DC in one of the domain-member-machines. But, here we have installed AD RMS in our DC as it is only for test purposes. 

Holistic Procedure in short:

◼ DC: Open “Active Directory Users and Computers”. Create 3 users in total; one as a service account (RMS Admin) and the others as AD RMS users. The service account will be used solely for managing the AD RMS. Use emails for every single user since the RMS service requires an email ID. Give the Service account/Special account/RMS Admin user membership of Schema Admin/ Enterprise Admin/ Domain Administrators group since it requires administrative power to perform administrative functions or you might delegate the account with the required specific function-accessibilities.

◼ Configure Certificate Service role in DC along with IIS role. After deployment, open IIS Manager. Create a Domain Certificate under ‘server certificates’. (Only if you want to create an SSL-encrypted connection)

◼ Deploy AD RMS roles and perform additional configuration. Open AD RMS from tools to create distributed rights and templates for users.

◼ Go to the client machine, connect to RMS from MS Word, set access policy using the predefined or newly created templates, and finally check its effectivity.

Step 1: Ensure a proper interconnection between the Domain Controller and the DC-member.        

Here, I pinged 172.16.1.2 IP first from 172.16.1.1 IP and received 100% packets in reply. Then I did the vice-versa and successfully got the outcome which indicates that there is a stable connectivity established between the two machines. 

Step 2: Open the “Active Directory Users and Computers” console. Create a user (service account) which will be used for authentication purposes of other authorized users as the credential account. 

N.B.: Since this is the ‘Service Account’ to be used for authentication purposes, make sure you select the “password never expires” option.  

The above ‘service account’ has to be a member of the Administrator group. Usually, the AD RMS feature is installed in a member server outside the DC. It is because if you install the AD RMS feature in a DC and give the ‘Service Account’ its Administrator-membership which in a sense makes this account a “domain admin” with full control of the domain-can be dangerous. So, it is advised not to configure AD RMS in a DC in a real-life environment. 

Step 3: Make the “Service Account-RMSAdmin” a member of the Administrator group.

Step 4: Create two users who will be using the AD RMS feature. (You can create as many users depending on the requirement in your organization.) 

Click Next & Finish. 

Follow the same steps to create one more user named “RMSUser2”.

Step 5: The AD RMS feature uses Email addresses to authenticate. Give a valid email address for each user. Since this is a test-purpose lab environment and we have no valid email address to assign to users, give a fake email address to each user for smooth authentication.

Go to ‘Properties’ of the “RMSAdmin” and under the ‘General-tab’ type the fake email address.

TIP: If you want to set multiple users’ email addresses at once and set the first part of the email addresses as per the ‘usernames’ of the users; select multiple users, go to their properties, and do the following. 

N.B.: You can set vivid policies like sessions’ remote desktop services timeout and reconnection settings, remote control, remote desktop services profile, and many more in-details for a user from its ‘properties’ option as per your requirements.

Step 6: After creating the ‘service account’ and users for AD RMS role, install the AD RMS role in your machine. 

Leave the ‘Select features’ box as it is and click next twice until the following box appears. 

Since we do not have any dedicated database server, we are using Windows Internal Database on this server. 

It is recommended to use an SSL-encrypted connection at the organization level in real-environment. Since we do not have any SSL-encrypted connection for this lab test, we are using the unencrypted connection which is http. 

You actually choose to register the SCP later only if you are not an Enterprise Administrator or a member of the Enterprise Admin group.

Step 7: Open the ‘Active Directory Rights Management Services’ console from tools. Create ‘Rights Policy Templates’ for AD RMS users with a set of policies.  

After assigning the users or groups with necessary rights, click next and go to the next page. 

RMSUser1

Here, I have assigned the RMSUser1 with full-control rights.

RMSUser2

Here, I have assigned the RMSUser2 with View rights only. The user cannot make any changes to the documents it has got access to except viewing its contents. 

Here, you can specify the content expiration time according to your organization’s policy. I have left it with the default that is ‘never expires’. 

Specify additional conditions and extend the policy according to your organization’s requirements or leave it as the default policy. Here, I have left it as the default policy.  

You can also use a URL to get the revocation list published there or leave it as it is and click finish.

 

You can also view the rights policy in detail from here.

Step 8: Sign in with RMSUser1 and connect to rights management servers and get templates first. (To perform this step, make sure you have Microsoft Office installed as one of the AD RMS compatible applications in your device.) 

Among my two users, I have assigned RMSUser1 with full rights/full control and RMSUser2 with view rights only. Interestingly, anyone except RMSUser1 cannot modify the document; not even the domain administrator or the service-account-holder.

To set the rights policies on your document for the specific users, do the following procedures.

Open MS Word, write something in it, go to the info tab, and from there protect document > restrict access > connect to rights management servers and get templates. 

 

You’ll be asked to give credentials and as a user of the AD RMS feature and the owner of the document, here you’ll give the username and password by which you have signed in the machine.

When templates are retrieved from the AD RMS server, you’ll find the template created by you along with the predefined templates. 

Click your template and protect your data with the set of rights policies.

Step 9: Make a folder, keep your documents with rights policies in it and share it with everyone in the network. 

 

Finally, Verify the outcome of AD RMS configuration:

Check the view permission of the document when you’re signed in as RMSUser1. Remember, RMSUser1 has full rights on the document.  

Signed in as RMSUser1

Now, sign in as RMSUser2 which has only view rights on the document. Find the document in the shared folder named ADRMS-Share.

When you try to access the document for the very first time, you’ll be given some warnings and will be needed to use your credential to connect to the AD RMS server. Click ok and go next.  

Give your credential 

Signed in as RMSUser2

Comparison between RMSUser1 and RMSUser2 with different rights:

There we go! We have successfully configured AD RMS and assigned users with specific permissions to get access to documents.  

Happy learning! 😊