Windows Server 2019: Active Directory Rights Management Service (Part 2)
Windows Server 2019: Active Directory Rights Management Service (Part 2)
// *************************
// Metadata:
// DC31:- Domain Controller (Yi.vn) - IP: 10.0.0.31
// DC32:- Exchange Server - IP: 10.0.0.32
// DC33:- Domain Member (Install AD RMS) - IP: 10.0.0.33
// DC34:- Domain Member (Install Certificate Server) - IP: 10.0.0.34
// WIN101, WIN102 clients
// Turn off firewall for all
// *************************
1) DC33 > File Explorer > C: > Create New Folder > Folder Name: Policy > Policy Properties - Sharing > Share > Choose people on your network to share with:- Everyone (Permission Level: Read/Write) > Share > Policy:- \\DC33\Policy > Done >
1) DC33 > Server Manager > Tools > Active Directory Rights Management Services > Active Directory Rights Management Services - dc33.yi.vn (local) - Exclusion Policies - (right-click) Users > Enable User Exclusion > dc33.yi.vn (local) - Exclusion Policies - (right-click) Applications > Enable User Exclusion > dc33.yi.vn (local) - Security Policies - (right-click) Super Users > Enable Super Users >
2) DC33 > Server Manager > Tools > Active Directory Rights Management Services > Active Directory Rights Management Services - dc33.yi.vn (local) - Rights Policy Templates > (right-hand side) Create distributed rights policy template > Add > Create Distributed Rights Policy Template - Add New Template Identification Information :- Name: Prevent Print > Add > Next > Create Distributed Rights Policy Template - Add User Rights - Users and Rights ( Add ) > Add User or Group - (x) The email address of a user or group:- HiepIT@yi.vn ( Rights:- View | Edit | Export (Save as) | Forward | Reply | Reply All | Extract | Allow Macros | View Rights | Edit Rights ) | Vietit@yi.vn ( Rights:- View | Edit | Export (Save as) | Forward | Reply | Reply All | Extract | Allow Macros | View Rights | Edit Rights ) > Next > Create Distributed Rights Policy Template - Specify Extended Policy - (x) Enable users to view protected content using a browser add-on > Next > Finish >
3) DC33 > Server Manager > Tools > Active Directory Rights Management Services > Active Directory Rights Management Services - dc33.yi.vn (local) - Rights Policy Templates > Distributed Rights Policy Template Information - Name: Prevent Print | Created Date: 11/18/2018 | Last Modified Date: 11/18/2018 | Last Modified by: Yi\Administrator >
4) DC33 > Server Manager > Tools > Active Directory Rights Management Services > Active Directory Rights Management Services - dc33.yi.vn (local) - Rights Policy Templates > (right-hand side) Change distributed rights policy templates file location > Rights Policy Templates - (*) Enable export | Specify templates file location (UNC): \\DC33\Policy > OK >
// Create a mail group named RMSSuper
5) DC32 > (Login) Other User: Yi\Administrator > Run > Exchange Management Shell > [PS] C:\Windows\system32 > New-DistributionGroup -Name "RMSSuper" -OrganizationalUnit "Yi.vn/users" -SAMAccountName "RMSSuper" -Type "Distribution">
Name: RMSSuper | DisplayName: RMSSuper | GroupType: Universal | PrimarySmtpAddress: RMSSuper@yi.vn
// Add account Federat... to RMSSuper
6) DC32 > (Login) Other User: Yi\Administrator > Run > Exchange Management Shell > [PS] C:\Windows\system32 > Add-DistributionGroupMember RMSsuper -Member FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042
7) DC33 > Server Manager > Tools > Active Directory Rights Management Services > Active Directory Rights Management Services - dc33.yi.vn (local) - Security Policies - (right-click) Super Users > Change super user group > Super User Group:- RMSSuper@Yi.Vn >
// Turn off Windows Defender in DC32
8) DC32 > Run > wf.msc
> Windows Defender Firewall with Advanced Security on Local Computer - Domain Profile - Firewall State: Off
> Windows Defender Firewall with Advanced Security on Local Computer - Private Profile - Firewall State: Off
> Windows Defender Firewall with Advanced Security on Local Computer - Public Profile - Firewall State: Off >
9) DC32 > Restart PC
// Show IRMConfiguration
10) DC32 > Run > Exchange Management Shell > [PS] C:\Windows\system32 > Get-IRMConfiguration
InternallicensingEnabled : False
// Set IRMConfiguration: Internal Licensing to TRUE
11) DC32 > Run > Exchange Management Shell > [PS] C:\Windows\system32 > Set-IRMConfiguration -InternalLicensingEnabled $true
// Send a testing email to HiepIT@Yi.vn
12) DC32 > Run > Exchange Management Shell > [PS] C:\Windows\system32 > Test-IRMConfiguration -Sender HiepIT@Yi.vn
13) WIN101/WIN102 > (Login) HiepIT > Start - Internet Explorer - Tools - Internet options - Security tab - Trusted sites - Sites - Add this website to the zone : https://dc33.Yi.vn - Add > Security level for this zone : All - down to Low
14) To send email using AD RMS, goto Outlook (2016), write any email message, click on File (left top hand side) - click on Restict Permissions to this item - Connect to Rights Management Server and get templates > view Certificate > Install Certificate > Reboot
// *************************
// Metadata:
// DC31:- Domain Controller (Yi.vn) - IP: 10.0.0.31
// DC32:- Exchange Server - IP: 10.0.0.32
// DC33:- Domain Member (Install AD RMS) - IP: 10.0.0.33
// DC34:- Domain Member (Install Certificate Server) - IP: 10.0.0.34
// WIN101, WIN102 clients
// Turn off firewall for all
// *************************
1) DC33 > File Explorer > C: > Create New Folder > Folder Name: Policy > Policy Properties - Sharing > Share > Choose people on your network to share with:- Everyone (Permission Level: Read/Write) > Share > Policy:- \\DC33\Policy > Done >
1) DC33 > Server Manager > Tools > Active Directory Rights Management Services > Active Directory Rights Management Services - dc33.yi.vn (local) - Exclusion Policies - (right-click) Users > Enable User Exclusion > dc33.yi.vn (local) - Exclusion Policies - (right-click) Applications > Enable User Exclusion > dc33.yi.vn (local) - Security Policies - (right-click) Super Users > Enable Super Users >
2) DC33 > Server Manager > Tools > Active Directory Rights Management Services > Active Directory Rights Management Services - dc33.yi.vn (local) - Rights Policy Templates > (right-hand side) Create distributed rights policy template > Add > Create Distributed Rights Policy Template - Add New Template Identification Information :- Name: Prevent Print > Add > Next > Create Distributed Rights Policy Template - Add User Rights - Users and Rights ( Add ) > Add User or Group - (x) The email address of a user or group:- HiepIT@yi.vn ( Rights:- View | Edit | Export (Save as) | Forward | Reply | Reply All | Extract | Allow Macros | View Rights | Edit Rights ) | Vietit@yi.vn ( Rights:- View | Edit | Export (Save as) | Forward | Reply | Reply All | Extract | Allow Macros | View Rights | Edit Rights ) > Next > Create Distributed Rights Policy Template - Specify Extended Policy - (x) Enable users to view protected content using a browser add-on > Next > Finish >
3) DC33 > Server Manager > Tools > Active Directory Rights Management Services > Active Directory Rights Management Services - dc33.yi.vn (local) - Rights Policy Templates > Distributed Rights Policy Template Information - Name: Prevent Print | Created Date: 11/18/2018 | Last Modified Date: 11/18/2018 | Last Modified by: Yi\Administrator >
4) DC33 > Server Manager > Tools > Active Directory Rights Management Services > Active Directory Rights Management Services - dc33.yi.vn (local) - Rights Policy Templates > (right-hand side) Change distributed rights policy templates file location > Rights Policy Templates - (*) Enable export | Specify templates file location (UNC): \\DC33\Policy > OK >
// Create a mail group named RMSSuper
5) DC32 > (Login) Other User: Yi\Administrator > Run > Exchange Management Shell > [PS] C:\Windows\system32 > New-DistributionGroup -Name "RMSSuper" -OrganizationalUnit "Yi.vn/users" -SAMAccountName "RMSSuper" -Type "Distribution">
Name: RMSSuper | DisplayName: RMSSuper | GroupType: Universal | PrimarySmtpAddress: RMSSuper@yi.vn
// Add account Federat... to RMSSuper
6) DC32 > (Login) Other User: Yi\Administrator > Run > Exchange Management Shell > [PS] C:\Windows\system32 > Add-DistributionGroupMember RMSsuper -Member FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042
7) DC33 > Server Manager > Tools > Active Directory Rights Management Services > Active Directory Rights Management Services - dc33.yi.vn (local) - Security Policies - (right-click) Super Users > Change super user group > Super User Group:- RMSSuper@Yi.Vn >
// Turn off Windows Defender in DC32
8) DC32 > Run > wf.msc
> Windows Defender Firewall with Advanced Security on Local Computer - Domain Profile - Firewall State: Off
> Windows Defender Firewall with Advanced Security on Local Computer - Private Profile - Firewall State: Off
> Windows Defender Firewall with Advanced Security on Local Computer - Public Profile - Firewall State: Off >
9) DC32 > Restart PC
// Show IRMConfiguration
10) DC32 > Run > Exchange Management Shell > [PS] C:\Windows\system32 > Get-IRMConfiguration
InternallicensingEnabled : False
// Set IRMConfiguration: Internal Licensing to TRUE
11) DC32 > Run > Exchange Management Shell > [PS] C:\Windows\system32 > Set-IRMConfiguration -InternalLicensingEnabled $true
// Send a testing email to HiepIT@Yi.vn
12) DC32 > Run > Exchange Management Shell > [PS] C:\Windows\system32 > Test-IRMConfiguration -Sender HiepIT@Yi.vn
13) WIN101/WIN102 > (Login) HiepIT > Start - Internet Explorer - Tools - Internet options - Security tab - Trusted sites - Sites - Add this website to the zone : https://dc33.Yi.vn - Add > Security level for this zone : All - down to Low
14) To send email using AD RMS, goto Outlook (2016), write any email message, click on File (left top hand side) - click on Restict Permissions to this item - Connect to Rights Management Server and get templates > view Certificate > Install Certificate > Reboot
Comments
Post a Comment