The Active Directory Rights Management Services Bulk Protection Tool provides a command-line interface that you can use to decrypt AD RMS protected files. You can also use it to encrypt multiple files to a predefined rights policy template. The following sections in this topic describe the AD RMS Bulk Protection Tool commands:
- Pre-installation Information
- AD RMS Bulk Protection Tool Commands
- Using the AD RMS Bulk Protection Tool
Legal Information
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2009 Microsoft Corporation. All rights reserved.
Microsoft, MS-DOS, Windows, Windows Server, and Active Directory are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.
Pre-installation Information
The AD RMS Bulk Protection Tool requires that the .NET Framework 2.0 Service Pack 2 be installed. For more information about setup and installation see the .NET Framework 2.0 SP2 download (http://go.microsoft.com/fwlink/?LinkId=164617) in the Microsoft Download Center.
To run this tool, you must have the AD RMS client installed. The AD RMS client is included with the Windows Vista, the Windows 7, the Windows Server 2008, and the Windows Server 2008 R2 operating systems. If you are using Windows XP, Windows 2000, or Windows Server 2003 as the client operating system, a compatible version of the AD RMS client (http://go.microsoft.com/fwlink/?LinkId=167218) is available for download from the Microsoft Download Center.
AD RMS Bulk Protection Tool Commands
The following syntax, parameter description, and example sections describe the AD RMS Bulk Protection Tool commands. The following table shows the formatting legend for the AD RMS Bulk Protection Tool command syntax.
Format | Meaning |
---|---|
|
Elements that the user must type exactly as shown. |
Betweeen angle brackets < > |
Placeholders for values that the user must supply. |
Between square brackets [ ] |
Optional items. |
Syntax
RMSBulk
[/decrypt
<location>]
[/encrypt
<location> <rms_template>
[
<owner_email>]] [/log
<log_file> [/append] [/simple]] [/preserveattributes]
[/silent]
Parameters
Parameter | Description |
---|---|
|
Performs a bulk decryption. This will decrypt all of the files that reside in the location that is specified with this parameter. |
|
Performs a bulk encryption. This will encrypt all of the files that reside in the location based on the rights policy template that is specified along with this parameter. The <owner_email> argument lets you specify a user who will have full control of the file. For example, the File Classification Infrastructure in Windows Server 2008 R2 can provide an SMTP address of the owner of the document before running encrypt on it. This SMTP address can be added so that the owner retains full control of their documents. |
|
Performs an output to a log file. The log file contains a header that shows the status during the prerequisite stage and a footer that shows the summary of the run. The log file also shows file count information. The /simple flag allows the header, the footer, and the file numbering information to be left out of the log file. This is useful when the tool is used together with File Classification Infrastructure because it lets you append the log file without the header, footer, and file numbering information. The /append flag will add the new information to a pre-existing log file. By default, if the /simple or /append flag is not specified when you use a pre-existing log file, that log file will be overwritten. |
|
This parameter preserves all the original file attributes. These attributes include the following: Owner, Creation Time, Modified Time, and Accessed Time. For example, when it is used with the File Classification Infrastructure in Windows Server 2008 R2, there may be a rule in place to delete all files that were not modified or accessed in the last 10 years. This switch preserves all these original attributes. |
|
This parameter disables console logging. |
Examples
The following shows an example of decrypting files on a network share:
RMSBulk.exe /decrypt \\Share\Folder /log
RMSBulk.log
The following shows an example of encrypting local files:
RMSBulk.exe /encrypt C:\Documents\Folder
C:\RMSTemplates\Template.xml /log C:\Logs\RMSBulk.log
The following shows an example of encrypting an individual file on a network share. This is also a representative example of how to use the tool in conjunction with File Classification Infrastructure (FCI):
RMSBulk.exe /encrypt \\Share\Folder\file.doc
ContosoConfidential.xml joe@contoso.com /log C:\Logs\RMSBulk.log
/append /simple /preserveattributes
Using the AD RMS Bulk Protection Tool
If this is the first time a computer has been used for AD RMS, you may see a dialog box that says the following: “Permission to this message is currently restricted. Microsoft Office must connect to <AD RMS Server Licensing URL> to verify your credentials and download your permission.” You can safely select Don’t show this message again and click OK.
You must add the AD RMS cluster URL to the local intranet site on your client machine prior to using the AD RMS Bulk Protection Tool on that computer. This can be done by manually adding the URL or by using a command line option. The following describe each process.
This section lists the steps for manually adding the AD RMS URL to the local intranet in Internet Explorer. These steps may vary slightly depending on the client operating system version. Change adrmsservername to reflect your AD RMS server.
To add the AD RMS Cluster URL to Local Intranet in Internet Explorer manually-
Log on to the client computer.
-
On the taskbar, click Start, point to All Programs, and then click Internet Explorer.
-
On the Tools menu, click Internet Options.
-
Click Security and select Local intranet from the Select a zone to view or change security settings box.
-
Click Sites to show a Local intranet window.
-
Click Advanced to show another Local intranet window.
-
In the Add this website to the zone: box, type your http://adrmsservername or https://adrmsservername, depending on whether SSL is being used.
-
Click to add or remove the check mark from Require server verification (https:) for all sites in this zone, and click Add. If you are using SSL, place a check in the box. If you are not using SSL, remove the check.
-
Click Close.
-
click OK to close the Internet Options dialog box.
-
Close Internet Explorer.
This section lists the steps for adding the AD RMS URL to local intranet in Internet Explorer using a command-line.
To add the AD RMS Cluster URL to Local Intranet in Internet Explorer with the command-line-
Log on to the client computer.
-
On the taskbar, click Start.
-
In the search box type reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\RMSSERVER" /v http /t REG_DWORD /d "1" /f and then press ENTER.
Tip Change RMSSERVER above to be the URL of your AD RMS cluster. Also, use /v https if you are using SSL.
Information Rights Management Protectors
Information Rights Management (IRM) protectors control the conversion of documents to their encrypted, rights-managed format and the decryption of documents from their rights-managed format back to their original format. The AD RMS Bulk Protection Tool installs two out-of-the-box IRM protectors:
Name | Supported File Formats |
---|---|
MsoIrmProtector |
doc, dot, xla, xls, xlt, pps, ppt |
OpcIrmProtector |
docm, docx, dotm, dotx, xlam, xlsb, xlsm, xlsx, xltm, xltx, xps, potm, potx, ppsx, ppsm, pptm, pptx, thmx |
In addition, the AD RMS Bulk Protection Tool also supports any file type that has an IRM Protector installed. However, currently only 32-bit IRM Protectors are supported. If you want to extend the AD RMS Bulk Protection Tool to work with additional file types, you must install the 32-bit version of that file type’s protector. This is also true if you are running the AD RMS Bulk Protection Tool on a 64-bit operating system. 64-bit IRM Protectors are currently not supported with the AD RMS Bulk Protection Tool.
Personal Storage Table Information
Before using the AD RMS Bulk Protection Tool to decrypt files contained within a .pst (personal storage table), Microsoft Office Outlook 2007 with Service Pack 2 must be open and running.
When decrypting a .pst file, you may receive a dialog box that says the following: A program is trying to access data from Outlook that may include address book information. Do you want to allow this? In order to avoid this dialog box use the following steps:
To turn off an Outlook warning dialog box-
Start Office Outlook 2007 SP2 as an Administrator by right-clicking the Outlook icon and selecting Run As Administrator.
-
From the Tools menu, click Trust Center, and select Programmatic Access.
-
Select the Never warn me about suspicious activity (not recommended) option.
-
Click OK.
Note |
---|
Once the .pst is finished decrypting you should set the Programmatic Access back to its original setting. This can be done by following the steps above and selecting the default on the Programmatic Access screen. When running the AD RMS Bulk Protection Tool on a .pst file, the .pst file should not be password protected. The AD RMS Bulk Protection Tool does not decrypt messages that are AD RMS protected but not sent. The AD RMS Bulk Protection Tool only supports decrypting files contained within a .pst file, it does not support encrypting files contained within a .pst file. |
Using the AD RMS Bulk Protection Tool in conjunction with the Windows Server 2008 R2 File Classification Infrastructure
The AD RMS Bulk Protection Tool can be used with the File Classification Infrastructure (FCI) that is provided in Windows Server 2008 R2. The Windows Server 2008 R2 FCI automates classification processes of files on a file server based on pre-determined conditions. For example, you can setup FCI to classify documents as having a high business impact if the words “Intellectual Property” appear in the document, or if a social security number is in the document. Once these files have been classified, based on their classification, the AD RMS Bulk Protection Tool can be used to apply rights policies to enforce these classifications and restrict access to the files.
The following three conditions must be satisfied before working with FCI:
First, the AD RMS Bulk Protection Tool will run under the Local System account when used with FCI, therefore all pre-requisites will apply.
Second, prior to using the AD RMS Bulk Protection Tool with FCI, the machine account where the AD RMS Bulk Protection Tool resides must be enabled on the AD RMS server to allow the tool to run under the Local System account. To do this, use the following steps:
To add the Read and Execute permissions for the machine account on ServerCertification.asmx-
Log on to the AD RMS Server as an Administrator.
-
On the taskbar, click Start, select Computer, and double-click Local Disk (C:).
-
In the open window, double-click inetpub, double-click wwwroot, double-click _wmcs, double-click certification, right-click ServerCertification.asmx and select Properties to show ServerCertification.asmx Properties.
-
Click the Security tab, select New, and click Edit to show Permissions for ServerCertification.asmx.
Click Add to show Select Users, Computers, or Groups.
-
Click Object Types… and place a check in Computers. Click OK to close the Object Types screen.
-
On the Select Users, Computers, or Groups screen, near Enter the object names to select, type <domain>\<machinename> and click Check Names. After the name resolves with an underline, click OK.
-
On the Permissions for ServerCertification.asmx screen, select the newly added machinename and verify it has a check in Read & execute. Click Apply, then OK to close the Permissions for ServerCertification.asmx screen.
-
On the ServerCertification.asmx properties, click OK.
Third, prior to using the AD RMS Bulk Protection Tool with FCI, the AD RMS Service Group must be given Read and Execute permissions on the ServerCertification.asmx file. This is a local account that resides on the AD RMS server. To do this, use the following steps:
To add the Read and Execute permissions for the AD RMS Service Group on ServerCertification.asmx-
Log on to the AD RMS Server as an Administrator.
-
On the taskbar, click Start, select Computer, and double-click Local Disk (C:).
-
In the open window, double-click inetpub, double-click wwwroot, double-click _wmcs, double-click certification, right-click ServerCertification.asmx and select Properties to show ServerCertification.asmx Properties.
-
Click the Security tab, select New, and click Edit to show Permissions for ServerCertification.asmx.
-
Click Add to show Select Users, Computers, or Groups.
-
Near Enter the object names to select, type AD RMS machinename\AD RMS Service Group and click Check Names. After the name resolves with an underline, click OK.
-
On the Permissions for ServerCertification.asmx screen, select the newly added AD RMS Service Group and verify it has a check in Read & execute. Click Apply and then click OK to close the Permissions for ServerCertification.asmx screen.
-
On the ServerCertification.asmx properties, click OK.