Additional Blogs by SAP
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How does SAP control the rollout of AD RMS ?

Former Member
‎12-03-2013 8:05 PM
0 Kudos

You have your new fancy RMS installation up and running, but you want to limit the usage, restrict it for certain users or groups.  How do you control the rollout of RMS ?

Well, it wasn't easy !  We used a combination of AD Groups and GPO's to manage the rollout of RMS within SAP. 

Part 1 : The first GPO sets the value for disablecreation (found in ADMX files) to enabled and is applied to everyone excluding the group where we maintain the users who are RMS enabled.  The RMS enable group we maintain keeps the default setting of "Not Configured" (which is the same as explicit disabled).  This effectively disables the disablecreation which allows the RMS enabled users to see the RMS protection option in Microsoft Office applications.  It can be confusing, you have to pay close attention to the wording so you know the result of the policy setting when enabling or disabling.  In this case, disabling the disablecreation policy will enable the RMS options for the group it is applied to. Enabling the disablecreation will remove the RMS options for the group it is applied to.

Part 2 : There is a second GPO applied to the group we maintain for RMS enabled users which enabled an automated scheduled task to setup the templates path.  In Office 2007 and 2010 this is required so Office knows where to look for templates, if you setup templates with your RMS setup.  This task runs at any logon and at a specified time.

Description: Updates the AD RMS rights policy templates for the user. This job does not provide a credential prompt if authentication to the template distribution web service on the server fails. In this case, it fails silently.

Part 3 : What about Outlook ?  SAP chose to not use RMS for Outlook but natively this is not possible, there is no disable RMS option for Outlook, but we did it !  How ?  We created a 3rd GPO which disables the Outlook UI (user interface) options for RMS, including the command bar items so they are not visible, not selectable, not usable.

This is the quick and easy version, keep checking my blog for more information... If you have any questions please feel free to post !

Upcoming posts : groups, service requests, cross forest RMS installations, RMSViewer for mobile, SCOM monitoring for RMS

Popular Blog Posts