1. AD RMS Bulk Protection Tool and File Classification Infrastructure – Step-by-Step<br />Microsoft Corporation<br />Published: January 2010<br />Author: Bill Mathers<br />Editor: John Andrilla<br />Acknowledgements<br />Special thanks to the following people for reviewing and providing invaluable feedback for this document: <br />Clinton Ho, Microsoft Corporation.<br />Matthias Wollnik, Microsoft Corporation.<br />Saket Kataruka, Microsoft Corporation.<br />Jason Tyler, Microsoft Corporation.<br />.<br />Abstract<br />This document will assist architects, consultants, system engineers, and system administrators in deploying the AD RMS Bulk Protection Tool in conjunction with Windows Server 2008 R2 File Classification Infrastructure.<br />Copyright<br />The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.<br />This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.<br />Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.<br />Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.<br />Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred.<br />© 2009 Microsoft Corporation. All rights reserved.<br />Active Directory, Microsoft, MS-DOS, Visual Studio, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.<br />The names of actual companies and products mentioned herein may be the trademarks of their respective owners.<br />Contents<br /> TOC quot;
1-5quot;
AD RMS Bulk Protection Tool and FCI Step-by-Step PAGEREF _Toc250624774 5<br />About this Guide PAGEREF _Toc250624775 5<br />What This Guide Does Not Provide PAGEREF _Toc250624776 5<br />Requirements for this Document PAGEREF _Toc250624777 6<br />The Scenario PAGEREF _Toc250624778 7<br />Scenario description PAGEREF _Toc250624779 7<br />The testing environment PAGEREF _Toc250624780 7<br />Required Groups PAGEREF _Toc250624781 8<br />Required accounts PAGEREF _Toc250624782 9<br />Implementing the Procedures in this Document PAGEREF _Toc250624783 9<br />Step 1 - Create FabrikamUsers Organizational Unit PAGEREF _Toc250624784 10<br />Step 2 - Create Test Users PAGEREF _Toc250624785 10<br />Step 3 - Create Test Groups PAGEREF _Toc250624786 12<br />Step 4 - Add Users to Groups PAGEREF _Toc250624787 14<br />Step 5 - Install FCI on Windows Server 2008 R2 PAGEREF _Toc250624788 14<br />Step 6 - Install AD RMS Bulk Protection Tool PAGEREF _Toc250624789 15<br />Step 7 - Create ADRMSPublic Shared Folder PAGEREF _Toc250624790 16<br />Step 8 - Create Fabrikam Confidential Rights Policy Template PAGEREF _Toc250624791 16<br />Step 9 - Create Fabrikam FTE Confidential Rights Policy Template PAGEREF _Toc250624792 17<br />Step 10 - Add AD RMS Cluster URL to Local Intranet for Local System PAGEREF _Toc250624793 18<br />Step 11 - Grant FCI Machine Account Read and Execute Permissions PAGEREF _Toc250624794 19<br />Step 12 - Grant AD RMS Service Group Read and Execute Permissions PAGEREF _Toc250624795 20<br />Step 13 - Create FabrikamDocuments Shared Folder PAGEREF _Toc250624796 21<br />Step 14 - Grant FCI Server Send As Rights PAGEREF _Toc250624797 22<br />Step 15 - Configure FCI for E-mail Notification PAGEREF _Toc250624798 22<br />Step 16 - Change Timeout on Certification Path Validation Settings PAGEREF _Toc250624799 23<br />Step 17 - Create Business Impact Classification Property PAGEREF _Toc250624800 24<br />Step 18 - Create dateEncrypted Classification Property PAGEREF _Toc250624801 25<br />Step 19 - Create LBI Classification Rule PAGEREF _Toc250624802 25<br />Step 20 - Create HBI Classification Rule PAGEREF _Toc250624803 26<br />Step 21 - Restrict Files to Fabrikam Employees PAGEREF _Toc250624804 27<br />Step 22 - Restrict Files to Full-Time Fabrikam Employees PAGEREF _Toc250624805 28<br />Testing the Implementation PAGEREF _Toc250624806 30<br />Step 1 - Create an Intellectual Property Word Document PAGEREF _Toc250624807 30<br />Step 2 - Create a General Word Document PAGEREF _Toc250624808 31<br />Step 3 - Run File Server Resource Manager Classification Rules PAGEREF _Toc250624809 31<br />Step 4 - Run File Management Tasks PAGEREF _Toc250624810 32<br />Step 5 - Consume Documents As Britta Simon PAGEREF _Toc250624811 32<br />Consume Documents as Britta Simon PAGEREF _Toc250624812 33<br />Step 6 - Consume Documents As Lola Jacobson PAGEREF _Toc250624813 33<br />Consume Documents as Lola Jacobson PAGEREF _Toc250624814 33<br />Step 7 - Check Administrator's Email PAGEREF _Toc250624815 34<br />Appendix A - MarkLBIandProtect Windows Powershell Script PAGEREF _Toc250624816 35<br />Appendix B - MarkHBIandProtect Windows PowerShell Script PAGEREF _Toc250624817 36<br />Appendix C - Using a Regular Expression with FCI PAGEREF _Toc250624818 37<br />AD RMS Bulk Protection Tool and FCI Step-by-Step<br />About this Guide<br />This step-by-step guide walks you through the process of configuring the AD RMS Bulk Protection Tool and FCI in a test environment. Windows Server 2008 R2 File Classification Infrastructure provides a built-in solution for file classification allowing administrators to automate manual processes with predefined policies based on the data’s business value.. <br />In this guide, the AD RMS Bulk Protection Tool will be used in conjunction with FCI to apply AD RMS rights policies based on the classifications that are determined by FCI.<br />As you complete the steps in this guide, you will:<br />Install File Classification Infrastructure on Windows Server 2008 R2<br />Install and Configure the AD RMS Bulk Protection Tool<br />Configure FCI to use the AD RMS Bulk Protection Tool to apply policies based on business impact.<br />Verify the policies have been applied successfully.<br />What This Guide Does Not Provide<br />This guide does not provide the following:<br />Guidance for setting up and configuring Active Directory Domain Service in either a production or test environment. This guide assumes that Active Directory Domain Services is already configured in the test environment. For more information about configuring Active Directory Domain Services see, AD DS Installation and Removal Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=154567).<br />Guidance for setting up and configuring Active Directory Certificate Services in either a production or test environment. This guide assumes that Active Directory Certificate Services is already configured and working in the test environment. You must ensure that you have a valid SSL certificate and the certificate chain is trusted in order for the AD RMS Bulk Protection tool to automatically bootstrap the machine and the FCI Local System account. For more information about configuring Active Directory Certificate Services, see the Active Directory Certificate Services (http://go.microsoft.com/fwlink/?LinkId=179761).<br />Guidance for setting up and configuring AD RMS in either a production or test environment. This guide assumes that AD RMS is already configured and working in the test environment. For more information about configuring AD RMS, see the AD RMS Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkID=154256).<br />Guidance for setting up and configuring Exchange Server 2007 SP1 in either a production or test environment. This guide assumes that Exchange 2007 SP1 is already setup and configured in the test environment. For more information about configuring Exchange Server 2007 SP1, see Microsoft Exchange Server 2007 (http://go.microsoft.com/fwlink/?LinkId=154564).<br />Guidance for setting up and configuring Windows Powershell in either a production or test environment. This guide assumes that Windows Powershell is already setup and configured in the test environment on the FCI.fabrikam.com server. For more information about configuring Windows Powershell using Server Manager, see Windows Server 2008 Server Manager Technical Overview (http://go.microsoft.com/fwlink/?LinkId=178642).<br />Guidance for installing psexec in either a production or test environment. Psexec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. This guide assumes that psexec is already setup and configured in the test environment on the CLT1.fabrikam.com client. For more information about psexec, see PsExec v1.97 (http://go.microsoft.com/fwlink/?LinkId=179150).<br />Requirements for this Document<br />The following table will provide a summary of the Microsoft software that was used in this guide.<br />SoftwareAdditional InformationWindows Server® 2008 Enterprise 32-bit editionWindows Server® 2008 Enterprise (http://go.microsoft.com/fwlink/?LinkId=156710)Windows Server® 2008 R2Windows Server® 2008 R2 (http://go.microsoft.com/fwlink/?LinkId=165669) Windows® 7 EnterpriseWindows® 7 Enterprise (http://go.microsoft.com/fwlink/?LinkId=160776)Active Directory Domain ServiceActive Directory (http://go.microsoft.com/fwlink/?LinkId=156712)Active Directory Certificate ServicesActive Directory Certificate Services (http://go.microsoft.com/fwlink/?LinkId=179761)Active Directory Rights Management Services (AD RMS)Active Directory Rights Management Services (AD RMS) (http://go.microsoft.com/fwlink/?LinkId=163969)Microsoft SQL Server 2008 Service Pack 1 – 64-bit editionMicrosoft SQL Server 2008 (http://go.microsoft.com/fwlink/?LinkId=156714)Microsoft Exchange Server 2007 Service Pack 1 – 64-bitMicrosoft Exchange Server 2007 (http://go.microsoft.com/fwlink/?LinkId=156715)Microsoft Office 2007 with Service Pack 2Microsoft Office 2007 (http://go.microsoft.com/fwlink/?LinkId=156717)Microsoft Hyper-VMicrosoft Hyper-V (http://go.microsoft.com/fwlink/?LinkID=156719)File Classification InfrastructureFCI (http://go.microsoft.com/fwlink/?LinkId=165668)Microsoft Windows Powershell 2.0Windows Powershell 2.0 (http://go.microsoft.com/fwlink/?LinkId=178634)Internet Information Services (IIS) 7.0 IIS 7.0 (http://go.microsoft.com/fwlink/?LinkId=160778)AD RMS Bulk Protection ToolAD RMS Bulk Protection Tool (http://go.microsoft.com/fwlink/?LinkId=166237).Sysinternals PsExecPsExec v1.97 (http://go.microsoft.com/fwlink/?LinkId=179150)<br />The Scenario<br />Scenario description<br />Fabrikam, a fictitious company, has a number of file servers that store the company’s documents. These documents may be general documentation or may have a high business impact (HBI). For example, any document that contains Intellectual Property is deemed, by Fabrikam, to have a high business impact. Fabrikam wants to ensure that all their documentation has a minimum amount of protection and that their HBI documentation is restricted to only full time employees.<br />In order to accomplish this, Fabrikam is exploring using the AD RMS Bulk Protection Tool in conjunction with File Classification Infrastructure (FCI) available in Windows Server 2008 R2. Using FCI, Fabrikam will classify all of the documents on their file server based on the content and then use the AD RM Bulk Protection Tool to apply the appropriate rights policy. Fabrikam has setup a test environment to evaluate these functions.<br />The testing environment<br />The scenario outlined in this document has been developed and tested on two stand-alone computers running the 64-bit editions of the Windows Server® 2008 R2 operating system and Hyper-V. The servers have two 3.0 gigahertz (GHz) dual core processors and 8 gigabytes (GB) of RAM each. Using Hyper-V, the following seven virtual machines were created on the hosts.<br />Table 1 Virtual Machines and Roles<br />Computer NameForestOperating SystemMemoryApplications and ServicesIP AddressDCfabrikam.comWindows Server 2008 x64 SP2512Active Directory, DNS, Certificate Authority192.168.100.100EXfabrikam.netWindows Server 2008 x64 SP22048Exchange 2007, IIS 7.0.192.168.100.101ADRMSfabrikam.comWindows Server® 2008 R2 x641024AD RMS, SQL Server 2008 SP1, IIS 7.0192.168.100.102FCIfabrikam.comWindows Server® 2008 R2 x641024File Classification Infrastructure192.168.100.103CLT1fabrikam.comWindows 7 Enterprise x861024Microsoft Office Word 2007 Enterprise Edition SP2192.168.100.104CLT2fabrikam.comWindows 7 Enterprise x861024192.168.100.105<br />Hyper-V is not a requirement to complete the steps outlined later. These steps can be implemented on physical computers as long as they reflect the same roles as the preceding table.<br />Required Groups<br />The following table summarizes the universal groups used in this step-by-step guide.<br />Table 2 Group Summary<br />Group NameGroup ScopeGroup TypeAll StaffUniversalSecurityAll FTEUniversalSecurityAll ContractorsUniversalSecurity<br />Required accounts<br />The following table summarizes the accounts used in this step-by-step guide.<br />Table 3 Required Accounts<br />AccountDisplay nameForestGroup MembershipPasswordDescriptionbsimonBritta Simonfabrikam.comAll FTEPass1word$User account.ljacobsonLola Jacobsonfabrikam.netAll ContractorsPass1word$User account.<br />Implementing the Procedures in this Document<br />The following steps will guide you through setting up the initial environment. This part of the document will illustrate setting up the AD RMS Bulk Protection Tool and FCI.<br />This section is comprised of the following steps:<br />1.Step 1 – Create FabrikamUsers Organizational Unit<br />2.Step 2 – Create Test Users<br />3.Step 3 – Create Test Groups<br />4.Step 4 – Add Users to Groups<br />5.Step 5 – Install FCI on Windows Server 2008 R2<br />6.Step 6 – Install the AD RMS Bulk Protection Tool<br />7.Step 7 – Create ADRMSPublic Shared Folder<br />8.Step 8 – Create Fabrikam Confidential Rights Policy Template<br />9.Step 9 – Create Fabrikam FTE Confidential Rights Policy Template<br />10.Step 10 - Add the AD RMS Cluster URL to Local Intranet<br />11.Step 11 – Grant FCI Machine Account Read and Execute Permissions<br />12.Step 12 – Grant AD RMS Service Group Read and Execute Permissions<br />13.Step 13 – Create FabrikamDocuments Shared Folder<br />14.Step 14 – Grant FCI Server Send As Rights<br />15.Step 15 – Configure FCI for E-mail Notification<br />16.Step 16 – Change Timeout on Certification Path Validation Settings<br />17.Step 17– Create Business Impact Classification Property<br />18.Step 18 – Create dataEncrypted Classification Rule<br />19.Step 19 – Create LBI Classification Rule<br />20.Step 20 – Create HBI Classification Rule<br />21.Step 21 – Restrict Files to Fabrikam Employees<br />22.Step 22 – Restrict Files to Full-time Employees<br />Step 1 - Create FabrikamUsers Organizational Unit<br />This step explains how to create an organizational unit in fabrikam.com. This organizational unit will store all of the test users.<br />To create the organizational unit<br />1.Log on to DC.fabrikam.com as Administrator2.Click Start, select Administrative Tools, and click Active Directory Users and Computers. This will open the Active Directory Users and Computers mmc.3.In the Active Directory Users and Computers mmc, from the tree-view on the left, right-click fabrikam.com, select New, and then Organizational Unit.4.In the Name textbox, type FabrikamUsers. Click OK.5.Close Active Directory Users and Computers.<br />Step 2 - Create Test Users<br />This step explains how to create and mailbox-enable the test users in fabrikam.com. These accounts will be used to verify that the AD RMS Bulk Protection Tool and FCI are working correctly.<br />Table 1 Required Accounts<br />First NameLast NameUser logon nameDisplay nameForestPasswordBrittaSimonbsimonBritta Simonfabrikam.comPass1word$LolaJacobsonljacobsonLola Jacobsonfabrikam.comPass1word$<br />To create the test User Accounts<br />1.Log on to the DC.corp.fabrikam.com Server as Administrator.2.Click Start, select Administrative Tools, and click Active Directory Users and Computers.3.Expand fabrikam.com, right-click FabrikamUsers, select New and then select User. This will bring up the New Object – User window.4.On the New Object – User screen, in the First Name box, enter Britta.5.On the New Object – User screen, in the Last Name box, enter Simon.6.On the New Object – User screen, in the User logon name: box, enter bsimon and click Next.7.On the New Object – User screen, in the Password box, enter Pass1word!.8.On the New Object – User screen, in the Confirm Password box, enter Pass1word!.9.On the New Object – User screen, remove the check from User must change password at next logon.10.On the New Object – User screen, add a check to Password never expires and click Next.11.Click Finish.12.Repeat these steps for all of the accounts listed in the Account Summary table.<br />To Mailbox-Enable the User Accounts<br />1.Log on to the EX.fabrikam.com Server as Administrator2.Click Start, click All Programs, click Microsoft Exchange Server 2007, and click Exchange Management Console.3.In the Exchange Management Console, expand Recipient Configuration, and click Mailbox.4.On the right, in the Actions pane, click New Mailbox… to start the New Mailbox wizard.5.On the Introduction screen, select User Mailbox and click Next.6.On the User Type screen, select Existing users and click Add. This will bring up the Select User – fabrikam.com screen.7.From the list, using the Ctrl key, select Britta Simon and Lola Jacobson then click OK.8.Click Next.9.On the Group Information click Next.10.On the Mailbox Settings screen, under Mailbox database click Browse. This will bring up the Select Mailbox Database screen.11.Select the Mailbox Database and click OK. Click Next.12.On the New Mailbox screen, click Next.13.On the Completion screen, verify that it was successful and click Finish14.Close Exchange Management Console<br />Step 3 - Create Test Groups<br />This step explains how to create and mail-enable the test groups in fabrikam.com. It also explains how to make certain groups members of other groups. These groups will be used to determine who has usage rights to the protected content created later in this guide.<br />Table 1 Group Summary<br />Group NameGroup ScopeGroup TypeAll StaffUniversalSecurityAll FTEUniversalSecurityAll ContractorsUniversalSecurity<br />To create the test Groups<br />1.Log on to the DC.fabrikam.com Server as Administrator.2.Click Start, select Administrative Tools, and click Active Directory Users and Computers.3.Expand fabrikam.com, right-click FabrikamUsers, select New and then select Group. This will bring up the New Object – Group window.4.On the New Object – Group screen, in the Group Name box, enter All Staff.5.On the New Object – Group screen, under Group scope , select Universal.6.On the New Object – Group screen, under Group type, select Security.7.Click Ok.8.Repeat these steps for all of the groups listed in the Group Summary table.<br />To Mail-Enable the Security Groups<br />1.Log on to the EX.fabrikam.com Server as Administrator2.Click Start, click All Programs, click Microsoft Exchange Server 2007, and click Exchange Management Console.3.In the Exchange Management Console, expand Recipient Configuration, and click Distribution Group.4.On the right, in the Actions pane, click New Distribution Group… to start the New Distribution Group wizard.5.On the Introduction screen, select Existing group and click Browse. This will bring up the Select Group – fabrikam.com screen.6.From the list, select All Staff and click OK.7.Click Next.8.On the Group Information click Next.9.On the New Distribution Group screen click New.10.On the Completion screen, verify that it was successful and click Finish11.Close Exchange Management Console12.Repeat these steps for all of the groups listed in the Group Summary table.<br />Add All FTE group and All Contractors group to All Staff group<br />1.Log on to the DC.fabrikam.com Server as Administrator.2.Click Start, select Administrative Tools, and click Active Directory Users and Computers.3.Expand fabrikam.com, select FabrikamUsers, right-click All Staff, and select Properties. This will bring up the All Staff Properties window.4.On the Members tab, click Add. This will bring up the Select Groups dialog box.5.On the Select Groups dialog box, under Enter the object names to select (examples) box, enter All FTE and click Check Names. This should resolve with an underline.6.Click Ok. This will close the Select Groups dialog box.7.On the Members tab, click Add. This will bring up the Select Groups dialog box.8.On the Select Groups dialog box, under Enter the object names to select (examples) box, enter All Contractors and click Check Names. This should resolve with an underline.9.Click Ok. This will close the Select Groups dialog box.10.On the All Staff Properties window, click Apply.11.Click Ok. This will close the All Staff Properties dialog box.12.Close Active Directory Users and Computers.<br />Step 4 - Add Users to Groups<br />This step explains how to add the previously created users to the previously created security groups<br />Table 1 Account Summary<br />First NameLast NameUser logon nameMember ofBrittaSimonbsimonAll FTELolaJacobsonljacobsonAll Contractors<br />To add test user accounts to test groups<br />1.Log on to the DC.fabrikam.com Server as Administrator.2.Click Start, select Administrative Tools, and click Active Directory Users and Computers.3.Expand fabrikam.com, select FabrikamUsers, right-click Britta Simon, and select Properties. This will bring up the Britta Simon Properties window.4.On the Member of tab, click Add. This will bring up the Select Groups dialog box.5.On the Select Groups dialog box, under Enter the object names to select (examples) box, enter All FTE and click Check Names. This should resolve with an underline.6.Click Ok. This will close the Select Groups dialog box.7.On the Britta Simon Properties window, click Apply.8.Click Ok. This will close the Britta Simon Properties dialog box.9.Repeat these steps for all of the accounts listed in the Account Summary table, substituting the appropriate Member of value.10.Close Active Directory Users and Computers.<br />Step 5 - Install FCI on Windows Server 2008 R2<br />This step explains how to install FCI on Windows Server® 2008 R2<br />To install File Classification Infrastructure<br />1.Log on to the FCI.fabrikam.com Server as Administrator.2.Click Start, select Administrative Tools, and click Server Manager.3.On the left, right-click Roles and select Add Roles. This will bring up the Add Roles Wizard.4.On the Before you Begin screen, click Next.5.On the Select Server Roles screen, click the box next to File Services and click Next.6.On the File Services screen, click Next.7.On the Select Role Services screen, click the box next to File Server Resource Manager and click Next.8.On the Configure Storage Usage Monitoring screen, click Next.9.On the Confirm Installation Selections screen, click Install.10.On the Installation Results screen, verify the installation was successful and click Close.11.Close Server Manager.<br />Step 6 - Install AD RMS Bulk Protection Tool<br />This step explains how to instal the AD RMS Bulk Protection Tool.<br />To install the AD RMS Bulk Protection Tool<br />1.Log on to the FCI.fabrikam.com Server as Administrator.2.Navigate to where you downloaded the tool and double-click rmsbulk.msi. This will bring up the Rights Management Services Bulk Protection Tool Setup wizard.3.On the Welcome to the Rights Management Services Bulk Protection Tool Setup Wizard screen, click Next.4.On the End-User License Agreement screen, read the EULA, click I accept the terms in the License Agreement and click Next.5.On the Destination Folder screen, click the Change button and navigate to C:indowsysWOW64 and click OK. Verify the path is now SysWOW64 and click Next.6.On the Ready to install Rights Management Services Bulk Protection Tool screen, click Install.7.On the Completed the Rights Management Services Bulk Protection Tool Setup Wizard screen, click Finish.<br />Step 7 - Create ADRMSPublic Shared Folder<br />This step explains how to create the ADRMSPublic shared folder. This shared folder will be used to store our AD RMS rights policy templates.<br />To create the ADRMSPublic Shared Folder<br />1.Log on to ADRMS.fabrikam.com as Administrator2.Click Start, click Computer, and then double-click Local Disk (C:).3.Click File, point to New, and then click Folder.4.Type ADRMSPublic for the new folder, and then press ENTER.5.Right-click ADRMSPublic, and then click Share.6.On the File Sharing window, in the box under Type the name of the person you want to share with and click Add… enter Everyone and click Add. The Everyone group should now appear in the box below. The Permission Level should be Reader.7.On the File Sharing window, in the box under Type the name of the person you want to share with and click Add… enter ADRMS Service and click Add. The Everyone group should now appear in the box below. The Permission Level should be Contributor.Important If you have setup AD RMS with a different service account name, use that account in the step above.8.Click Share. The window should change and you should now see Your folder is shared. 9.Click Done. <br />Step 8 - Create Fabrikam Confidential Rights Policy Template<br />This step explains how to create the Fabrikam Confidential Rights Policy Template. This template will be the minimum rights protection placed on all content within Fabrikam’s organization.<br />To create the Fabrikam Confidential Rights Policy Template<br />1.Log on to ADRMS.fabrikam.com as Administrator.2.Open the Active Directory Rights Management Services Administration console. Click Start, point to Administrative Tools, and then click Active Directory Rights Management Services.3.If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.4.In the Active Directory Rights Management Services Administration console, expand the cluster name.5.Click Rights Policy Templates and ensure that Distributed Rights Policy Templates information appears in the center pane. On the right, in the Actions pane, click Properties. This will bring up the Rights Policy Templates Properties dialog box.6.On the Rights Policy Templates Properties dialog box, select the Enable export check box, type adrmsDRMSPublic in the Specify templates file location (UNC) box, and then click OK.7.On the right, in the Actions pane, click Create Distributed Rights Policy Template to start the Create Distributed Rights Policy Template wizard.8.Click Add.9.In the Language box, choose the appropriate language for the rights policy template.10.Type Fabrikam Confidential in the Name box.11.Type This content is confidential and proprietary information intended for Fabrikam employees only and provides the following user rights: View, Reply, Reply All, Save, Edit, and Forward in the Description box, and then click Add.12.Click Next.13.Click Add, type AllStaff@.fabrikam.com in The e-mail address of a user or group box, and then click OK.14.Select the View, Reply, Reply All, Save, Edit, and Forward check boxes.15.Click Finish.<br />Step 9 - Create Fabrikam FTE Confidential Rights Policy Template<br />This step explains how to create the Fabrikam FTE Confidential Rights Policy Template. This template will be the rights protection placed on all content that is deemed to have a High Business Impact within Fabrikam’s organization.<br />To create the Fabrikam Confidential Rights Policy Template<br />1.Log on to ADRMS.fabrikam.com as Administrator.2.Open the Active Directory Rights Management Services Administration console. Click Start, point to Administrative Tools, and then click Active Directory Rights Management Services.3.In the Active Directory Rights Management Services Administration console, expand the cluster adrms.fabrikam.com.4.Click Rights Policy Templates.5.On the right, in the Actions pane, click Create Distributed Rights Policy Template to start the Create Distributed Rights Policy Template wizard.6.Click Add.7.In the Language box, choose the appropriate language for the rights policy template.8.Type Fabrikam FTE Confidential in the Name box.9.Type This content is confidential and proprietary information intended for Fabrikam full-time employees only and provides the following user rights: View, Reply, Reply All, Save, Edit, and Forward in the Description box, and then click Add.10.Click Next.11.Click Add, type AllFTE@fabrikam.com in The e-mail address of a user or group box, and then click OK.12.Select the View, Reply, Reply All, Save, Edit, and Forward check boxes.13.Click Finish.<br />Step 10 - Add AD RMS Cluster URL to Local Intranet for Local System<br />This step explains how to add the AD RMS Cluster URL to the local intranet in Internet Explorer on FCI.fabrikam.com.<br />To add the AD RMS Cluster URL to Local Intranet in Internet Explorer<br />1.Log on to CLT1.fabrikam.com as Administrator.2.Click the Windows Button, and in the Search programs and files box type cmd and hit enter. This will bring up a command-line interface.3.From the command-line, navigate to C:STools.Important If you have PSTools installed to a different location, navigate to that location from the command-line.4.From the PSTools directory type psexec FCI –u Administrator –p Pass1word$ -i –s “C:rogram Files(x86)nternet Explorerexplore.exe” and hit enter. Important If your Administrator account is different, use your account for the command-line syntax above.5.If this brings up the Sysinternals EULA, click accept.6.Log on to FCI.fabrikam.com as Administrator. There should be an instance of Internet Explorer running.7.At the top of Internet Explorer, under Tools, click Internet Options.8.Click the Security tab and select Local intranet from the Select a zone to view or change security settings box.9.Click Sites to show a Local intranet window. Click Advanced.10.In the Add this website to the zone: box, type https://adrms.fabrikam.com. Click Add.11.Place a check in Require server verification (https:) for all sites in this zone and click Close. Click Ok.12.Click OK to close the Internet Options dialog box.Important At this point, you should try and access the following: https://adrms.fabrikam.com/_wmcs/certification/certification.asmx. Verify that there are no certificate errors. If so, make sure the CA chain is installed under Trusted Root Certification Authorities for the local system account. This can be done by right clicking the error at the top and selecting view certificates. From there, click certification path and highlight the root certificate. Click view certificate and then install this one.13.Close Internet Explorer.14.Log off FCI.fabrikam.com15.On CLT1.fabrikam.com, close the command window.<br />Step 11 - Grant FCI Machine Account Read and Execute Permissions<br />This step explains how to grant the FCI machine account read and execute permissions to the ServerCertification.asmx page. This is required because it allows the AD RMS Bulk Protection Tool to run under the local system account on the FCI server.<br />To add the Read & Execute permissions for the FCI machine account on ServerCertification.asmx<br />1.Log on to ADRMS.fabrikam.com Server as Administrator2.Click Start, select Computer, double-click Local Disk (C:), double-click inetpub, double-click wwwroot, double-click _wmcs, double-click certification, right-click ServerCertification.asmx and select Properties. This will bring up the ServerCertification.asmx Properties.3.On the ServerCertification.asmx properties, select the Security tab, and then click Edit. This will bring up the Permissions for ServerCertification.asmx.4.On the Permissions for ServerCertification.asmx screen, click Add. This will bring up the Select Users, Computers, or Groups screen.5.On the Select Users, Computers, or Groups screen, to the right, click the Object Types… button. This will bring up the Object Types screen.6.On the Object Types screen, place a check in Computers and click Ok. This will close the Object Types screen.7.On the Select Users, Computers, or Groups screen, under Enter the object names to select, enter fabrikamCI and click Check Names. This should resolve with an underline. Click Ok.8.On the Permissions for ServerCertification.asmx screen, select the newly added fabrikamCI$ and verify it has a check in Read & execute. Click Apply Click Ok. This will close the Permissions for ServerCertification.asmx screen.9.On the ServerCertification.asmx properties, click Ok. This will close the ServerCertification.asmx properties.<br />Step 12 - Grant AD RMS Service Group Read and Execute Permissions<br />This step explains how to grant the AD RMS Service Group read and execute permissions to the ServerCertification.asmx page. This is required because it allows the AD RMS Bulk Protection Tool to run under the local system account on the FCI server.<br />To add the Read & Execute permissions for AD RMS Service Group on ServerCertification.asmx<br />1.Log on to ADRMS.fabrikam.com Server as Administrator2.Click Start, select Computer, double-click Local Disk (C:), double-click inetpub, double-click wwwroot, double-click _wmcs, double-click certification, right-click ServerCertification.asmx and select Properties. This will bring up the ServerCertification.asmx Properties.3.On the ServerCertification.asmx properties, select the Security tab, select New, and click Edit. This will bring up the Permissions for ServerCertification.asmx.4.On the Permissions for ServerCertification.asmx screen, click Add. This will bring up the Select Users, Computers, or Groups screen.5.On the Select Users, Computers, or Groups screen, under Enter the object names to select, enter ADRMSD RMS Service Group and click Check Names. This should resolve with an underline. Click Ok.6.On the Permissions for ServerCertification.asmx screen, select the newly added AD RMS Service Group and verify it has a check in Read & execute. Click Apply Click Ok. This will close the Permissions for ServerCertification.asmx screen.7.On the ServerCertification.asmx properties, click Ok. This will close the ServerCertification.asmx properties.8.Restart the ADRMS.fabrikam.com server.<br />Step 13 - Create FabrikamDocuments Shared Folder<br />This step explains how to create the FabrikamDocuments shared folder. This is the folder that will store all of the content Fabrikam wishes to rights protect.<br />To create the FabrikamDocuments Shared Folder<br />1.Log on to FCI.fabrikam.com as Administrator2.Click Start, click Computer, and then double-click Local Disk (C:).3.Click File, point to New, and then click Folder.4.Type FabrikamDocuments for the new folder, and then press ENTER.5.Right-click FabrikamDocuments, click Share with, and then click Specific people.6.On the File Sharing window, in the box under Type a name and then click Add, or click the arrow to find someone select Everyone, then and click Add. The Everyone group should now appear in the box below. Under Permission Level, select Read/Write.7.Click Share. The window should change and you should now see Your folder is shared. 8.Click Done. <br />Step 14 - Grant FCI Server Send As Rights<br />This step explains how to grant the FCI machine account the Send As right on the Administrator account. This will allow the FCI machine to send e-mail notifications as the Administrator when documents are rights protected.<br />To grant the FCI Machine Account Send As Rights<br />1.Log on to the EX.corp.fabrikam.com Server as Administrator.2.Click Start, select Administrative Tools, and click Active Directory Users and Computers.3.At the top, select View and then select Advanced Features from the drop-down.4.On the left, expand fabrikam.com click the Users organizational unit. On the right, right-click Administrator and then select Properties. This will bring up the Administrator Properties window.5.On the Administrator Properties screen, select the Security tab and click Add. This will bring up the Select Users, Computers, or Groups screen.6.On the Select Users, Computers, or Groups screen, to the right, click the Object Types… button. This will bring up the Object Types screen.7.On the Object Types screen, place a check in Computers and click Ok. This will close the Object Types screen.8.On the Select Users, Computers, or Groups screen, under Enter the object names to select, enter fabrikamCI and click Check Names. This should resolve with an underline. Click Ok.9.Under Groups or user names: make sure FCI (FABRIKAMCI$) is select.10.On the Permissions for FCI locate Send As and select Allow. Click Apply Click Ok. This will close the Administrators Properties screen.11.Close Active Directory Users and Computers.<br />Step 15 - Configure FCI for E-mail Notification<br />This step explains how to add e-mail configuration options to the File Classification Infrastructure. This will allow for email notifications when documents are rights protected. We will be using our Exchange 2007 Server for this purpose.<br />To setup FCI for e-mail notification<br />1.Log on to FCI.fabrikam.com as Administrator2.Click Start, click Administrative Tools, and click File Server Resource Manager.3.In the File Server Resource Manager, on the right, under Actions, click Configure Options. This will bring up the File Server Resource Manager Options.4.Under SMTP server name or IP address, enter EX.fabrikam.com.5.Under Default administrator recipients, enter administrator@fabrikam.com.6.Under Default “From” e-mail address, enter administrator@fabrikam.com.7.Click OK.Important You can test this by using the Send Test E-mail button that is provided on the File Server Resource Manager Options page.<br />Step 16 - Change Timeout on Certification Path Validation Settings<br />This step explains how to change the default path validation cumulative retrieval timeout from 20 seconds to 2 seconds. This is required because the servers do not have access to the internet. If this gpo setting is not changed then the AD RMS Bulk Protection Tool will fail when attempting to activate the FCI server. This is only required because the server does not have internet access.<br />To change the Default Path Validation Cumulative Retrieval Timeout<br />1.Log on to the DC.corp.fabrikam.com Server as Administrator.2.Click Start, select Administrative Tools, and click Group Policy Management.3.Expand Forest: fabrikam.com, expand Domains, expand fabrikam.com, right-click Default Domain Policy, and then select edit. This will bring up the Group Policy Management Editor.4.On the left, expand Computer Configuration, expand Windows Settings, expand Security Settings, and click Public Key Policies.5.On the right, right-click Certificate Path Validation Settings and click Properties. This will bring up the Certificate Path Validation Settings Properties.6.On the Certificate Path Validation Settings screen, click the Network Retrieval tab.7.On the Network Retrieval screen, place a check in Define these policy settings and in the middle, change Default path validation cumulative retrieval timeout (in seconds) to 2.8.Click Apply and Ok. This will close the Certificate Path Validation Settings.9.Close Group Policy Management.<br />Refresh the policy on the FCI server<br />1.Log on to the FCI.fabrikam.com Server as Administrator2.Click Start, and click Command Prompt. This will open a command prompt window.3.From the command prompt, type gpupdate /force and hit Enter. Once this is complete is should say that the user and computer policies were updated successfully.4.Close the Command Prompt.<br />Step 17 - Create Business Impact Classification Property<br />This step explains how to create the Business Impact Classification Property. Classification properties are used to assign values to files. There are many property types that you can choose from, and you can define them based on the policies your organization wants to enforce. This will be an ordered list property. A value of High will indicate that the document has a high business impact, while a value of Low will represent a low business impact. <br />To create the Business Impact Classification Property<br />1.Log on to FCI.fabrikam.com as Administrator2.Click Start, click Administrative Tools, and click File Server Resource Manager.3.In the File Server Resource Manager, on the left, expand Classification Management, and right-click Classification Properties, and select Create Property. This will bring up the Create Classification Property Definition window.4.Under Property name, enter Business Impact.5.Under Description, enter Describes the impact to the business if this file were to be disclosed to the public. Valid values are High and Low..6.Under Property type, enter Ordered List.7.Down under Value enter High. This will add a row below the value we just entered.8.Under the High value we just added, enter Low.9.Click OK. <br />Step 18 - Create dateEncrypted Classification Property<br />This step explains how to create the dateEncrypted Classification Property. It allows for tracking which files have already been encrypted and do not need to be encrypted again. This will be a Date-Time property. It will indicate when the file was last encrypted.<br />To create the dateEncrypted Property<br />1.Log on to FCI.fabrikam.com as Administrator2.Click Start, click Administrative Tools, and click File Server Resource Manager.3.In the File Server Resource Manager, on the left, expand Classification Management, and right-click Classification Properties, and select Create Property. This will bring up the Create Classification Property Definition window.4.Under Property name, enter dateEncrypted.5.Under Description, enter When this document was encrypted..6.Under Property type, enter Date-Time.7.Click OK. <br />Step 19 - Create LBI Classification Rule<br />This step explains how to create the LBI Classification Rule. This rule will classify all of our documents with an LBI property value. Later the HBI Classification Rule will override these LBI values if the documents match the criteria in the HBI Classification rule. <br />To create the LBI Classification Rule<br />1.Log on to FCI.fabrikam.com as Administrator2.Click Start, click Administrative Tools, and click File Server Resource Manager.3.In the File Server Resource Manager, on the left, expand Classification Management, and right-click Classification Rules, and select Create a New Rule. This will bring up the Classification Rule Definitions window.4.Under Rule name:, enter Low Business Impact.5.Under Description, enter Classify all documents with low business impact by default.6.Under Scope, click Add and browse to FabrikamDocuments. Click OK7.At the top, click the Classification tab.8.Under Choose a method to assign the property value, select Folder Classifier from the drop-down.9.Under Choose a property value to be assigned, select Business Impact Classification Property from the drop-down.10.Under Property value to be assigned, select Low from the drop-down.11.Click OK.<br />Step 20 - Create HBI Classification Rule<br />This step explains how to create the HBI Classification Rule. This rule will search the content of documents and if the string “Intellectual Property” is found, it will classify this document as having high business impact. This classification will override any previously assigned classification as low business impact. <br />To create the HBI Classification Rule<br />1.Log on to FCI.fabrikam.com as Administrator2.Click Start, click Administrative Tools, and click File Server Resource Manager.3.In the File Server Resource Manager, on the left, expand Classification Management, and right-click Classification Rules, and select Create a New Rule. This will bring up the Classification Rule Definitions window.4.Under Rule name:, enter High Business Impact.5.Under Description, enter Determines if the document has a high business impact based on the presence of the string “Intellectual Property”.6.Under Scope, click Add and browse to FabrikamDocuments. Click OK7.At the top, click the Classification tab.8.Under Choose a method to assign the property value, select Content Classifier from the drop-down.9.Under Choose a property value to be assigned, select Business Impact Classification Property from the drop-down.10.Under Property value to be assigned, select High from the drop-down.11.Click Advanced. This will bring up the Additional Rule Parameters.12.On the Evaluation Type, place a check in the Re-evaluate existing property values box and select Aggregate the values.13.At the top, click the Additional Classification Parameters tab.14.Under the box that says Name, enter String. Under the box that says Value, enter Intellectual Property.15.Click OK. Click OK.<br />Step 21 - Restrict Files to Fabrikam Employees<br />This step explains how to create a file management task to restrict access of low business impact files to Fabrikam employees. This task will apply the Fabrikam Confidential rights policy template to all of the documents that have been classified with a Low property and that have not already been encrypted. The original owner of the file will retain full control of the AD RMS protection, unless the owner is not registered in Active Directory. In that case, the Administrator will gain full control of the AD RMS protection on the file. It will also send an e-mail message to the owner of each file when it is encrypted.<br />To create the file management task to restrict files to employees of Fabrikam<br />1.Log on to FCI.fabrikam.com as Administrator2.Copy the script from Appendix A into notepad and save it as c:indowsystem32arkLBIandProtect.ps1.3.Click Start, click Administrative Tools, and click File Server Resource Manager.4.In the File Server Resource Manager, on the left, right-click File Management Tasks, and select Create File Management Task. This will bring up the Create File Management Task window.5.Under Task name:, enter Restrict files to employees of Fabrikam.6.Under Description, enter Apply Fabrikam Confidential rights policy.7.Under Scope, click Add and browse to FabrikamDocuments. Click OK8.At the top, click the Action tab.9.Under Type, select Custom from the drop-down.10.Under Executable, select Browse and navigate to c:indowsystem32indowsPowerShell1.0owershell.exe.11.Under Arguments, enter -File c:indowsystem32arkLBIandProtect.ps1 [Source File Path] [Source File Owner Email] administrator@fabrikam.com.12.Under Run the command as:, select Local System.13.At the top, click the Condition tab.14.Click Add. This will bring up the Property Condition window.15.On the Property Condition window, make sure Property: is set to Business Impact, set the Operator: to Equals, and for the Value: select Low from the drop-down. Click Ok.16.Click Add. This will bring up the Property Condition window.17.On the Property Condition window, make sure Property: is set to dateEncrypted, and select not exist for the condition. Click OK.18.At the top, click the Notification tab.19.Click Add. This will bring up the Add Notification window.20.Set the Number of days before the task is executed to send notification to 0.21.Check Send e-mail to the following administrators:22.In the box, enter administrator@fabrikam.com.23.Check Send e-mail to the user whose files are about to expire.24.Under Subject: enter File encrypted.25.Click OK.26.At the top, click the Schedule tab.27.On the Schedule tab, click Create. This will bring up the Schedule window.28.On the Schedule window, click New.29.Except the defaults and click Ok. This will close the Schedule window.30.Click OK. This will close the Create File Management Task window.<br />Important <br />After the installation of PowerShell, the execution of scripts is disabled by default. You must enable your system to run the scripts. This can be done by using the following command: Set-Executionpolicy Unrestricted. Alternatively, the execution policy can be set to signed and the script can be signed. For more information about this topic, please see Running Windows PowerShell Scripts (http://go.microsoft.com/fwlink/?LinkID=119588). <br />Step 22 - Restrict Files to Full-Time Fabrikam Employees<br />This step explains how to create a file management task to restrict access of high business impact files to full-time Fabrikam employees. This task will apply the Fabrikam FTE Confidential rights policy template to all of the documents that have been classified with a High property. The original owner of the file will retain full control of the AD RMS protection, unless the owner is not registered in Active Directory. In that case, the Administrator will gain full control of the AD RMS protection on the file. It will also send an e-mail to the owner of the document when the template is applied to the document.<br />To create the file management task to restrict files to full-time Fabrikam employees<br />1.Log on to FCI.fabrikam.com as Administrator2.Copy the script from Appendix B into notepad and save it as c:indowsystem32arkHBIandProtect.ps1.3.Click Start, click Administrative Tools, and click File Server Resource Manager.4.In the File Server Resource Manager, on the left, right-click File Management Tasks, and select Create File Management Task. This will bring up the Create File Management Task window.5.Under Task name:, enter Restrict HBI files to full-time Fabrikam employees.6.Under Description, enter Apply Fabrikam FTE Confidential rights policy.7.Under Scope, click Add and browse to FabrikamDocuments. Click OK8.At the top, click the Action tab.9.Under Type, select Custom from the drop-down.10.Under Executable, select Browse and navigate to c:indowsystem32indowsPowerShell1.0owershell.exe.11.Under Arguments, enter -File c:indowsystem32arkHBIandprotect.ps1 [Source File Path].12.Under Run the command as:, select Local System.13.At the top, click the Condition tab.14.Click Add. This will bring up the Property Condition window.15.On the Property Condition window, make sure Property: is set to Business Impact, set the Operator: to Equals, and for the Value: select High from the drop-down. Click Ok.16.Click Add. This will bring up the Property Condition window.17.On the Property Condition window, make sure Property: is set to dateEncrypted, select not exist for the condition, and then click OK.18.At the top, click the Notification tab.19.Click Add. This will bring up the Add Notification window.20.Set the Number of days before the task is executed to send notification to 0.21.Check Send e-mail to the following administrators:22.In the box, enter administrator@fabrikam.com.23.Check Send e-mail to the user whose files are about toexpire.24.Change the text in the Subject and Message body boxes to indicate that the file was encrypted.25.Click OK.26.At the top, click the Schedule tab.27.On the Schedule tab, click Create. This will bring up the Schedule window.28.On the Schedule window, click New.29.Except the defaults and click Ok. This will close the Schedule window.30.Click OK. This will close the Create File Management Task window.<br />Testing the Implementation<br />The following sections explain how to test and verify that the AD RMS Bulk Protection Tool and FCI are working together and classifying and protecting content accordingly.<br />This section is comprised of the following steps:<br />1.Step 1 - Create an Intellectual Property Word document<br />2.Step 2 – Create a General Word document<br />3.Step 3 – Run File Server Resource Manager Classification Rules<br />4.Step 4 – Run File Management Tasks<br />5.Step 5 – Consume documents as Britta Simon<br />6.Step 6 – Consume documents as Lola Jacobson<br />Step 1 - Create an Intellectual Property Word Document<br />This section explains how to create a Word document that contains the phrase “Intellectual Property.”<br />To create an Intellectual Property Word Document<br />1.Log on to the CLT1.fabrikam.com as Administrator.2.Click Start, select All Programs, click Microsoft Office, and select Microsoft Office Word 2007. This will bring up Word 2007 with a blank document.3.On the blank document type the words Intellectual Property.4.At the top, click the Office button and select Save As from the drop-down. 5.At the top, remove Libraries -> Documents from the location and enter FCI.fabrikam.comabrikamDocuments.6.Under File Name:, enter Spec.7.Click Save.8.Close Word.<br />Step 2 - Create a General Word Document<br />This section explains how to create a general Word document. This document will have the LBI policy applied to it.<br />To create a general Word document<br />1.Log on to the CLT1.fabrikam.com as Administrator.2.Click Start, select All Programs, click Microsoft Office, and select Microsoft Office Word 2007. This will bring up Word 2007 with a blank document.3.On the blank document type the words Meeting notes.4.At the top, click the Office button and select Save As from the drop-down. 5.At the top, remove Libraries -> Documents from the location and enter FCI.fabrikam.comabrikamDocuments.6.Under File Name:, enter Notes.7.Click Save.8.Close Word.<br />Step 3 - Run File Server Resource Manager Classification Rules<br />This step explains how to manually run the classification rules. This is only being done for testing purposes. These can be automated so that they do not have to be run manually. <br />To run the File Server Resource Manager Classification Rules<br />1.Log on to FCI.fabrikam.com as Administrator2.Click Start, select Administrative Tools, and select File Server Resource Manager.3.In the File Server Resource Manager, on the left, expand Classification Management, and right-click Classification Rules, and select Run Classification With All Rules Now. This will bring up the Run Classification window.4.Under How do you want to proceed?, select Wait for classification to complete execution. Click Ok.5.Once classification finishes, examine the report. The spec.doc should be classified as High and the notes.doc should be classified as low.6.Close the report.7.Close File Server Resource Manager. <br />Step 4 - Run File Management Tasks<br />This step explains how to manually run the File Management Tasks. These tasks will now apply the rights policy templates to our documents based on the properties that were set in the previous step. This is only being done for testing purposes. These can be automated so that they do not have to be run manually. <br />To run the File Management Tasks<br />1.Log on to FCI.fabrikam.com as Administrator2.Click Start, select Administrative Tools, and select File Server Resource Manager.3.In the File Server Resource Manager, click File Management Tasks. Our File Management Tasks should appear in the center of the File Server Resource Manager.4.Right-click Fabrikam Confidential File Management Task, and select Run File Management Task Now. This will bring up the Run File Management Task window.5.Under How do you want to proceed?, select Wait for task to complete execution. Click Ok.6.Once the File Management Task has completed, examine the report.7.Close the report.8.Right-click Fabrikam FTE Confidential File Management Task, and select Run File Management Task Now. This will bring up the Run File Management Task window.9.Under How do you want to proceed?, select Wait for task to complete execution. Click Ok.10.Once the File Management Task has completed, examine the report.11.Close the report.12.Close File Server Resource Manager.<br />Step 5 - Consume Documents As Britta Simon<br />In this step we will be attempting to open the documents that we just rights protected in the previous step. In this step, we will log on as Britta Simon, a Fabrikam full-time employee. She should be able to open both documents.<br />Consume Documents as Britta Simon<br />The following steps show how to consume the documents as Britta Simon.<br />To consume documents as Britta Simon<br />1.Log on to CLT1.fabrikam.com as fabrikamsimon2.Click the Windows button.3.In the search box, type FCI.fabrikam.comabrikamDocuments. This will open the FabrikamDocuments share.4.Double-click notes.doc.5.When prompted for credentials, for User name: enter bsimon. For Password, enter Pass1word$. This will start the process of configuring AD RMS for Britta Simon.6.Once this completes, you should see a pop-up window that says Permissions to this document is currently restricted. Microsoft Office must connect to http://adrms.fabrikam.com/_wmcs/licensing to verify your credentials and download your permissions. Click OK.7.Once this completes, you should be able to view notes.doc. Close notes.doc8.Double-click spec.doc.9.When prompted for credentials, for User name: enter bsimon. For Password, enter Pass1word$.10.You should see a pop-up window that says Permissions to this document is currently restricted. Microsoft Office must connect to http://adrms.fabrikam.com/_wmcs/licensing to verify your credentials and download your permissions. Click OK.11.Once this completes, you should be able to view spec.doc. Close spec.doc<br />Step 6 - Consume Documents As Lola Jacobson<br />In this step we will be attempting to open the documents as Lola Jacobson, a contractor. Lola should be able to access the notes.doc file but should not be allowed to access the spec.doc file.<br />Consume Documents as Lola Jacobson<br />The following steps show how to consume the documents as Lola Jacobson.<br />To consume documents as Lola Jacobson<br />1.Log on to CLT2.fabrikam.com as fabrikamjacobson2.Click the Windows button.3.In the search box, type FCI.fabrikam.comabrikamDocuments. This will open the FabrikamDocuments share.4.Double-click notes.doc.5.When prompted for credentials, for User name: enter ljacobson. For Password, enter Pass1word$. This will start the process of configuring AD RMS for Britta Simon.6.Once this completes, you should see a pop-up window that says Permissions to this document is currently restricted. Microsoft Office must connect to http://adrms.fabrikam.com/_wmcs/licensing to verify your credentials and download your permissions. Click OK.7.Once this completes, you should be able to view notes.doc. Close notes.doc8.Double-click spec.doc.9.When prompted for credentials, for User name: enter ljacobson. For Password, enter Pass1word$.10.You should see a pop-up window that says Permissions to this document is currently restricted. Microsoft Office must connect to http://adrms.fabrikam.com/_wmcs/licensing to verify your credentials and download your permissions. Click OK.11.Once this completes, you should see a pop-up window that says You do not have credentials that allow you to open this document. Do you want to open it using a different set of credentials? Click No. At this point, you should not have any open document in Word. Close Word.<br />Step 7 - Check Administrator's Email<br />This section explains how to create check the Administrator’s e-mail. This is done to verify that the FCI server has sent us notification.<br />To verify the Administrator’s E-mail<br />1.Log on to the CLT1.fabrikam.com as Administrator.2.Click Start, select All Programs, click Microsoft Office, and select Microsoft Office Outlook 2007. This will bring up Outlook 2007.3.Verify that the FCI server has sent the Administrator e-mail.<br />Appendix A - MarkLBIandProtect Windows Powershell Script<br />The following Windows Powershell script is used to create the file management task to restrict files to employees.<br /># execute bulk tool<br />$encryptfile = 'quot;
' + $args[0] + 'quot;
'<br />$owneremail = $args[1]<br />if ($owneremail -eq quot;
[Sourcequot;
)<br />{<br /> $owneremail = $args[5]<br />}<br />$r = start-process –Wait –PassThru –FilePath C:indowsysWOW64msBulk.exe –ArgumentList “/encrypt”, $encryptfile, “adrms.fabrikam.comDRMSPublicabrikam_Confidential.xml”, $owneremail, “/log”, “C:abrikamDocumentsmsLog.log”, “/append”, “/preserveattributes”<br />if ($r.ExitCode –eq 0)<br />{<br /> $c = new-object –com Fsrm.FsrmClassificationManager<br /> $d = (get-date).toFileTimeUTC()<br /> $d = $d - ($d % 10000000)<br /> $c.SetFileProperty($args[0], “dateEncrypted”, $d.ToString())<br />}<br />Appendix B - MarkHBIandProtect Windows PowerShell Script<br />The following Windows Powershell script is used to create the file management task to restrict files to only full-time employees.<br /># execute bulk tool<br />$encryptfile = 'quot;
' + $args[0] + 'quot;
'<br />$owneremail = $args[1]<br />if ($owneremail -eq quot;
[Sourcequot;
)<br />{<br /> $owneremail = $args[5]<br />}<br />$r = start-process –Wait –PassThru –FilePath C:indowsysWOW64msBulk.exe –ArgumentList “/encrypt”, $encryptfile, “adrms.fabrikam.comDRMSPublicabrikam_FTE_Confidential.xml”, $owneremail, “/log”, “C:abrikamDocumentsmsLog.log”, “/append”, “/preserveattributes”<br />if ($r.ExitCode –eq 0)<br />{<br /> $c = new-object –com Fsrm.FsrmClassificationManager<br /> $d = (get-date).toFileTimeUTC()<br /> $d = $d - ($d % 10000000)<br /> $c.SetFileProperty($args[0], “dateEncrypted”, $d.ToString())<br />}<br />Appendix C - Using a Regular Expression with FCI<br />The following is an example of creating a FCI Classification Rule using a Regular Expression. A regular expression is a pattern of text that consists of ordinary characters (for example, letters a through z) and special characters, known as metacharacters. The pattern describes one or more strings to match when searching text. The example below shows how to use a regular expression to look for social security type number. It searches for 3 digits followed by a hyphen, then 2 digits followed by a hyphen and finally 4 digits (ddd-dd-dddd). If any such expression is found in a document it will be classified as having a high business impact<br />To create the Regular Expresssion Classification Rule<br />1.Log on to FCI.fabrikam.com as Administrator2.Click Start, click Administrative Tools, and click File Server Resource Manager.3.In the File Server Resource Manager, on the left, expand Classification Management, and right-click Classification Rules, and select Create a New Rule. This will bring up the Classification Rule Definitions window.4.Under Rule name:, enter Social Security Rule.5.Under Description, enter Determines if the document contains a social security type number.6.Under Scope, click Add and browse to FabrikamDocuments. Click OK7.At the top, click the Classification tab.8.Under Choose a method to assign the property value, select Content Classifier from the drop-down.9.Under Choose a property value to be assigned, select Business Impact Classification Property from the drop-down.10.Under Property value to be assigned, select High from the drop-down.11.Click Advanced. This will bring up the Additional Rule Parameters.12.On the Evaluation Type, place a check in the Re-evaluate existing property values box and select Aggregate the values.13.At the top, click the Additional Classification Parameters tab.14.Under the box that says Name, enter RegularExpression. Under the box that says Value, enter {3}-{2}-{4}.15.Click OK. Click OK.<br />To test this, create a world document with the following number 111-22-3333 in it. Save it to c:abrikamDocuments share and then run the classification rule steps and file management tasks.<br />For more information about using Regular Expressions with FCI see, Classifying files based on location and content using the File Classification Infrastructure (FCI) in Windows Server 2008 R2 (http://go.microsoft.com/fwlink/?LinkId=180326).<br />For more information about Regular Expressions syntax see, Regular Expression Syntax (http://go.microsoft.com/fwlink/?LinkId=180327).<br />