Event ID 23 — AD RMS Rights Policy Templates Integrity
Applies To: Windows Server 2008
Active Directory Rights Management Services (AD RMS) rights policy templates define a preconfigured set of parameters that can be used to protect sensitive information. Rights policy templates are stored in the AD RMS configuration database and shared to AD RMS clients.
|Product:||Windows Operating System|
|Source:||Active Directory Rights Management Services|
|Message:||An Active Directory Rights Management Services (AD RMS) client requested a rights policy template that is not recognized by the AD RMS cluster. Ensure that all rights policy templates are valid and exist in the configuration database.
Delete the retired rights policy templates from the AD RMS-enabled clients
A mismatch can occur when an AD RMS-enabled client has a rights policy template on the local computer that is no longer in the AD RMS configuration database. If the AD RMS-enabled client is trying to use a rights policy template that no longer exists, the template should be removed from the client. If the rights policy template is actively being used in your environment, you should restore the configuration database to a point where the rights policy template existed in the database. If you determine that the rights policy template has been retired and should no longer be used, use the section named "Delete a retired rights policy template from an AD RMS-enabled client". If the template mismatch is occuring on a rights policy template that is still being used, use the procedure named "Restore the AD RMS configuration database to an earlier version" to recover the rights policy template.
Delete a retired rights policy template from an AD RMS-enabled client
To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.
To delete a retired rights policy template from an AD RMS-enabled client:
- Log on to the AD RMS-enabled client computer as the user who is trying to use the retired template.
- Navigate to the directory where the rights policy templates are stored. The default location is %userprofile%\application data\Microsoft\DRM\Templates. If the AD RMS-enabled client is running Windows Vista, the location is %userprofile%\appdata\roaming\Microsoft\DRM\templates. For example, C:\users\user_name where user_name is the user name of the user who is currently logging into the computer.
- All rights policy templates are stored as XML files. Identify the template that is retired, right-click the file, click Delete, and then click Yes to confirm the file deletion.
Restore the AD RMS configuration database to an earlier version
To perform this procedure, you must be a member of the System Administrators database role, or you must have been delegated the appropriate authority.
To restore the AD RMS configuration database to an earlier version:
- Log on to the AD RMS configuration database server, click Start, point to All Programs, click Microsoft SQL Server 2005, and then click SQL Server Management Studio.
- In the Server name box, type the name of the AD RMS configuration database server, and then click Connect.
- Right-click Databases, and then click Restore Database.
- In the To database box, select the AD RMS configuration database from the list.
- Click the From device option, and then click Browse.
- Click Add.
- In the Locate Backup File window, select the database backup file, and then click OK two times.
- Select the Restore check box, and then click OK.
To perform this procedure, you must be a member of the local Users group, or you must have been delegated the appropriate authority.
Note: Microsoft Office Word 2007 is used as an example in this section. Any AD RMS-enabled application can be used in place of Word 2007.
To verify that the AD RMS rights policy templates are working correctly:
- Log on to an AD RMS-enabled client computer.
- Click Start, point to All Programs, point to Microsoft Office, and then click Microsoft Office Word 2007.
- In the new document type This is a test document.
- Click the Microsoft Office Start Button, point to Prepare, point to Restrict Permissions, and then click Restricted Access.
- Select the Restrict permissions to this document check box.
- Type another AD RMS user's e-mail address in the Read box, and then click OK.
- Send this file to the person who was granted access in step 6.
- Have this person open the document and verify that he or she cannot do anything else with the document such as print it.