Active Directory Rights Management Services Templates
The title is a bit of a mouthful, but here I’m talking about AD RMS templates and how to distribute them to client computers.
Microsoft provides a pair of scheduled tasks that are designed to update the templates on the client computer. By default, they are disabled and you’ll need to enable them to get them to work. You can find them in Task Scheduler, in the task library, under Microsoft\Windows\Active Directory Rights Management Services Client. There is an “Automatic” task (that runs based on a schedule) and a “Manual” task that is initiated by the end-user. Both run as the end-user (but elevated rights are required to enable/disable the tasks).
The tasks call out to a COM object to actually handle the update of the templates. In the environment that I work in, this COM object utterly failed (in fact, it would outright delete existing templates off of the client computers!).
So, we decided to roll our own and perform the deployment via System Center Configuration Manager. For this deployment, I ended up creating two packages. One has a script that runs as an Administrator and disables the scheduled task (using the SCHTASKS command). The second is the one that actually copies the RMS template XML files to the user’s application data folder (since this is specific to each user, this program runs in the user’s context).
For your reference, the template path is %UserProfile%\AppData\Local\Microsoft\DRM\Templates, but can be changed by registry key (which can be managed by Group Policy).
Since you’ll only have one RMS service per forest, I feel pretty confident that you can merely wipe out any existing XML files in that template directory before replacing them with your properly authored ones.
For this advertisement, I choose to run it once per week, regardless of connectivity (fast/slow) by downloading it to the local cache directory. This way, we can have an update “roll out” period of about a week to the majority of systems and catch the rest when they return to the network. Users only need the templates when they author documents or emails that are then rights protected; once the template is applied, the XML isn’t needed for opening or editing the files.