Providing Different Rights Policy Templates for Different Users

  • Article

Perhaps you would like to provide different AD RMS rights policy templates to different users in your organization.  For example, maybe users in your legal department need certain templates specific to their needs, but these templates would be inappropriate to make available to the rest of your organization.  You can accomplish this one of two ways.

Licensing-only Clusters:

First, you can create licensing-only clusters for groups of users that need different templates.  Licensing-only clusters issue end use licenses and publishing licenses, but cannot issue rights account certificates.  A licensing-only cluster has its own logging, templates, revocation, and super users settings and is therefore most appropriate when you need to segment AD RMS administration beyond just rights policy templates. 

To use licensing-only clusters in your organization, you must set the EnterprisePublishing registry key to point to the appropriate licensing-only cluster.  This can quickly become cumbersome as you add more licensing-only clusters and users in your environment.  The EnterprisePublishing registry key is located under HKEY_Local_Machine\Software\Microsoft\MSDRM\ServiceLocation.

When you consider the role of licensing-only clusters in your organization, remember that they should be used for segmenting business administration, not to improve AD RMS performance because licensing-only clusters cannot load balance with other licensing-only clusters or the certification cluster.  For more information on licensing-only clusters see the TechNet article AD RMS Licensing-only Cluster Deployment Step-by-step Guide.

Modifying Template Distribution:

The list of rights policy templates that appear in Microsoft Office applications is loaded from the copy of the templates stored in the folder that the AdminTemplatePath registry key points to.  By default this folder is %LocalAppData%\Microsoft\DRM\Templates.  You can provide different templates to different users by populating this folder with the appropriate templates.  The exact procedure will vary based on how you are distributing templates in your organization.  For example, if you are distributing your templates with a script, you can modify that script to specify which templates to copy to the folder, and then link that script to a Group Policy Object that is filtered to only include the appropriate users. 

Also, if you wish to distribute different templates to different users through a script, as described above, you cannot use the AD RMS Rights Policy Template Management tasks in the Task Scheduler.  These tasks retrieve all the rights policy templates in an organization and will then populate an end-user's template folder with all the templates he is missing.  For more information on distributing rights policy templates using a script see the TechNet article Distribution through Login Scripts.

This process will populate an end-user's template list with only the templates that you specify.  If you have not specified a particular template for a user, he will not be able to protect content with that template.  However, he will still be able to consume content protected by that template, provided he has been granted the necessary permissions by the template.