Templates, Distribution, and Why You Should Care

  • Article

One of the great features of Active Directory Rights Management Services (AD RMS) is rights-policy templates. A template is something that an AD RMS administrator designs that provides a set of users, and/or groups, with a predefined set of rights. These templates are then used by AD RMS-enabled applications to enforce policies. You can read much more about AD RMS templates on TechNet here.

One of the big problems that IT administrators encounter with rights-policy templates is how to distribute them to end users. If the end user does not have the template, they can’t use the predefined policies. In previous versions of AD RMS (Windows Rights Management Services v1.0 SPx), Group Policy objects (GPO) were used as the primary means for template distribution. The AD RMS administrator would post the template .xml files to a UNC share and use GPO to push them to clients. There was no built-in way for the client to fetch templates.

Another problem with templates pertained to AD RMS-enabled applications and their developers. Applications that utilize templates typically allow the user to select which template they’d like to use to protect their content. This poses a problem for the application because there is no centralized location where the RM client stores templates, and no built-in way to discover them programmatically. The application was responsible for locating them in its own way (usually by way of registry key overrides). This resulted in different applications that would look for templates in different locations. This was problematic, to say the least. 

Enter Template Distribution. So what is template distribution and, ultimately, why should you care? Starting with Windows Vista Service Pack 1, the AD RMS client is able to fetch templates (this requires the AD RMS server to be at least Windows Server 2008) and store them in a centralized location. How? Through scheduled tasks and API’s, that’s how.

  • Scheduled Tasks - There are two scheduled tasks: one manual, and one automated. The automated task runs silently in the background and suppresses authentication prompts (choosing to fail instead). The manual task is the same as the automated task, except that it does not suppress authentication prompts (as opposed to fail silently). When the task executes, it first makes a request to the server to get its template information. From the information returned, the client can determine that it a) has the correct templates and b) has the most up-to-date version of them. If either of these conditions are not met, the client acquires (or re-acquires) the templates from the server.
  • Client API - In addition to scheduled tasks, the AD RMS client provides developers with an API that can be used to discover and acquire templates for their application. You can read more about that here

Note: It is important to point out that archived templates are not distributed to clients. This process applies only to distributed templates, hence the name.

Sounds great, right? But I’m sure you have some questions. So here’s an FAQ:

Q. Why are there two tasks, automated and manual?
A. There are two tasks because the end-user shouldn’t ever have to see a random credential UI for something that runs in the background and, even worse, for something they have no clue what it’s for. The automated task is designed to fail in this case, for this specific reason. The manual task can be invoked at any time by the user.
Q. How often will the automated task run once it’s enabled?
A. Once the task is enabled, the client will fetch templates (assuming it has never done this before). Afterwards, it creates the following registry key and populates it with the current time: HKCU\Software\Microsoft\MSDRM\TemplateManagement\lastUpdatedTime. Moving forward, the task checks the current time against the value in this registry key. If the date is off by 30 days or more, the client attempts to fetch templates again and the lastUpdatedTime is refreshed with the new date.
Q. So the default period is 30 days – can I change it?
A. Yes, this can be configured by setting the following registry key: HKCU\Software\Microsoft\MSDRM\TemplateManagement\updateFrequency (DWORD).
Q. Won’t all of the clients make requests at the same time and start a DoS attack?
A. No. When the client determines that it needs to fetch new templates, it will pick a random time within the next hour. This is to stagger the requests for enabling the scheduled task broadly in a large organization.
Q. Are the templates contained in TPD’s distributed?
A. No, templates contained in trusted publishing domains (TPD) are not distributed.
Q. Why aren’t my archived templates being distributed?
A. Wasn’t this answered already? Alright, here goes again. No, only distributed templates will be distributed to clients via template distribution.
Q. Is the automated task enabled out-of-the-box?
A. No, the automated task is not enabled when Windows is installed, since the majority of Windows users are not in an enterprise. 
Q. Where does the client store the templates?
A. The client stores templates here: %userprofile%\AppData\Local\Microsoft\DRM\templates.
Q. Is this functionality available on Windows XP, Windows Server 2003, or Windows Vista RTM?
A. No, this functionality is provided only on Vista SP1 and above.
Q. Is this functionality available for Windows Rights Management Services v1.0 SPx on Windows Server 2003?
A. No, this functionality is available only on Windows Server 2008 and above.

And there you have it – template distribution made easy.

Jody Hendrix, Lead Software Design Engineer in Test