使用 Windows Server 文件分类基础结构 (FCI) 的 RMS 保护RMS protection with Windows Server File Classification Infrastructure (FCI)

适用于:Azure 信息保护、Windows Server 2016、Windows Server 2012、Windows Server 2012 R2**Applies to: Azure Information Protection, Windows Server 2016, Windows Server 2012, Windows Server 2012 R2

说明:适用于 Windows 的 Azure 信息保护客户端Instructions for: Azure Information Protection client for Windows

通过本文获取相关说明和脚本以使用 Azure 信息保护客户端和 PowerShell 配置文件服务器资源管理器和文件分类基础结构 (FCI)。Use this article for instructions and a script to use the Azure Information Protection client and PowerShell to configure File Server Resource Manager and File Classification Infrastructure (FCI).

此解决方案允许你自动保护运行 Windows Server 的文件服务器上的文件夹中的所有文件或自动保护符合特定条件的文件。This solution lets you automatically protect all files in a folder on a file server running Windows Server, or automatically protect files that meet a specific criteria. 例如,已分类为包含机密或敏感信息的文件。For example, files that have been classified as containing confidential or sensitive information. 此解决方案直接连接 Azure 信息保护中的 Azure 权限管理服务来保护文件,因此必须为你的组织部署此服务。This solution connects directly to the Azure Rights Management service from Azure Information Protection to protect the files, so you must have this service deployed for your organization.

备注

尽管 Azure 信息保护包括支持文件分类基础结构的连接器,但该解决方案仅支持本机保护(例如,Office 文件)。Although Azure Information Protection includes a connector that supports File Classification Infrastructure, that solution supports native protection only—for example, Office files.

若要支持使用 Windows Server 文件分类基础结构的多个文件类型,必须使用 PowerShell AzureInformationProtection 模块,如本文中所述。To support multiple file types with Windows Server file classification infrastructure, you must use the PowerShell AzureInformationProtection module, as documented in this article. Azure 信息保护 cmdlet(如 Azure 信息保护客户端)支持常规保护和本机保护,这意味着可以保护 Office 文档以外的文件类型。The Azure Information Protection cmdlets, like the Azure Information Protection client, support generic protection as well as native protection, which means that file types other than Office documents can be protected. 有关详细信息,请参阅 Azure 信息保护客户端管理员指南中的 Azure 信息保护客户端支持的文件类型For more information, see File types supported by the Azure Information Protection client from the Azure Information Protection client admin guide.

接下来的说明适用于 Windows Server 2012 R2 或 Windows Server 2012。The instructions that follow are for Windows Server 2012 R2 or Windows Server 2012. 如果你运行其他受支持的 Windows 版本,则可能需要调整某些步骤,以适应你的操作系统版本与本文所述的操作系统版本之间的差异。If you run other supported versions of Windows, you might need to adapt some of the steps for differences between your operating system version and the one documented in this article.

使用 Windows Server FCI 的 Azure Rights Management 保护的先决条件Prerequisites for Azure Rights Management protection with Windows Server FCI

这些说明的先决条件:Prerequisites for these instructions:

  • 在你将运行使用文件分类基础结构的文件资源管理器的每个文件服务器上:On each file server where you will run File Resource Manager with file classification infrastructure:

    • 你已安装文件服务器资源管理器作为文件服务角色的角色服务之一。You have installed File Server Resource Manager as one of the role services for the File Services role.

    • 已标识包含要使用 Rights Management 保护的文件的本地文件夹。You have identified a local folder that contains files to protect with Rights Management. 例如,C:\FileShare。For example, C:\FileShare.

    • 你已安装 AzureInfAormationProtection PowerShell 模块并已为此模块配置先决条件以连接到 Azure 权限管理服务。You have installed the AzureInformationProtection PowerShell module and configured the prerequisites for this module to connect to the Azure Rights Management service.

      Azure 信息保护客户端附带 AzureInformationProtection PowerShell 模块。The AzureInformationProtection PowerShell module is included with the Azure Information Protection client. 有关安装说明,请参阅 Azure 信息保护管理员指南中的为用户安装 Azure 信息保护客户端For installation instructions, see Install the Azure Information Protection client for users from the Azure Information Protection admin guide. 如有需要,可以使用 PowerShellOnly=true 参数仅安装 PowerShell 模块。If required, you can install just the PowerShell module by using the PowerShellOnly=true parameter.

      如果你的租户在北美以外的地区,则使用此 PowerShell 模块的先决条件包括激活 Azure 权限管理服务、创建服务主体,以及编辑注册表。The prerequisites for using this PowerShell module include activating the Azure Rights Management service, creating a service principal, and editing the registry if your tenant is outside North America. 在按照本文说明开始操作之前,请确保你具有 BposTenantId****、AppPrincipalId**** 以及对称密钥**** 的值,如先决条件中所述。Before you start the instructions in this article, make sure that you have values for your BposTenantId, AppPrincipalId, and Symmetric key, as documented in these prerequisites.

    • 如果要更改特定文件扩展名保护(本机或常规)的默认级别,需已编辑注册表,如管理员指南中的更改文件的默认保护级别部分所述。If you want to change the default level of protection (native or generic) for specific file name extensions, you have edited the registry as described in the Changing the default protection level of files section from the admin guide.

    • 你具有 internet 连接,并且已配置了计算机设置(如果代理服务器需要这些设置)。You have an internet connection, and you have configured your computer settings if these are required for a proxy server. 例如: netsh winhttp import proxy source=ieFor example: netsh winhttp import proxy source=ie

  • 你已将本地 Active Directory 用户帐户(包括其电子邮件地址)与 Azure Active Directory 或 Office 365 同步。You have synchronized your on-premises Active Directory user accounts with Azure Active Directory or Office 365, including their email addresses. 对于所有需要访问受 FCI 和 Azure Rights Management 服务保护的文件的用户来说,这都是必需的。This is required for all users that might need to access files after they are protected by FCI and the Azure Rights Management service. 如果你未执行此步骤(例如,在测试环境中),可能会阻止用户访问这些文件。If you do not do this step (for example, in a test environment), users might be blocked from accessing these files. 如果你需要有关此要求的详细信息,请参阅 准备用户和组以便使用 Azure 信息保护If you need more information about this requirement, see Preparing users and groups for Azure Information Protection.

  • 此方案不支持部门模板,因此你必须使用未配置为作用域的模板,或者使用AipServiceTemplateProperty Cmdlet 和EnableInLegacyApps参数。This scenario does not support departmental templates so you must either use a template that is not configured for a scope, or use the Set-AipServiceTemplateProperty cmdlet and the EnableInLegacyApps parameter.

为 Azure 权限管理保护配置文件服务器资源管理器 FCI 的说明Instructions to configure File Server Resource Manager FCI for Azure Rights Management protection

按照这些说明通过使用 PowerShell 脚本作为自定义任务自动保护一个文件夹中的所有文件。Follow these instructions to automatically protect all files in a folder, by using a PowerShell script as a custom task. 按此顺序执行这些过程:Do these procedures in this order:

  1. 保存 PowerShell 脚本Save the PowerShell script

  2. 为 Rights Management (RMS) 创建分类属性Create a classification property for Rights Management (RMS)

  3. 创建分类规则 (Classify for RMS)Create a classification rule (Classify for RMS)

  4. 配置分类计划Configure the classification schedule

  5. 创建自定义文件管理任务(使用 RMS 保护文件)Create a custom file management task (Protect files with RMS)

  6. 通过手动运行规则和任务来测试配置Test the configuration by manually running the rule and task

在这些说明结束时,所选文件夹中的所有文件都将使用 RMS 的自定义属性进行分类,然后这些文件将受 Rights Management 保护。At the end of these instructions, all files in your selected folder will be classified with the custom property of RMS, and these files will then be protected by Rights Management. 对于更复杂的配置(如有选择性地保护某些文件,而不保护其他文件),你可以然后创建或使用不同的分类属性和规则,用于仅保护这些文件的文件管理任务。For a more complex configuration that selectively protects some files and not others, you can then create or use a different classification property and rule, with a file management task that protects just those files.

请注意,如果对用于 FCI 的 Rights Management 模板进行更改,运行脚本以保护文件的计算机帐户不会自动获得更新的模板。Note that if you make changes to the Rights Management template that you use for FCI, the computer account that runs the script to protect the files does not automatically get the updated template. 为此,在脚本中,找到被注释掉的 Get-RMSTemplate -Force 命令,并删除 # 注释字符。To do so, in the script, locate the commented out Get-RMSTemplate -Force command, and remove the # comment character. 当下载更新模板(该脚本至少运行一次),可以注释掉此附加命令,以便不会每次不必要地下载模板。When the updated template is downloaded (the script has run at least one time), you can comment out this additional command so that the templates are not unnecessarily downloaded each time. 如果通过对模板的更改就足以重新保护文件服务器上的文件,则可以通过运行 Protect-RMSFile cmdlet 与对文件具有“导出”或“完全控制”使用权限的帐户以交互方式执行此操作。If the changes to the template are important enough to reprotect the files on the file server, you can do this interactively by running the Protect-RMSFile cmdlet with an account that has the Export or Full Control usage rights for the files. 如果发布了想要用于 FCI 的新模板,则还必须运行 Get-RMSTemplate -ForceYou must also run Get-RMSTemplate -Force if you publish a new template that you want to use for FCI.

保存 Windows PowerShell 脚本Save the Windows PowerShell script

  1. 使用文件服务器资源管理器,复制用于 Azure RMS 保护的 Windows PowerShell 脚本的内容。Copy the contents of the Windows PowerShell script for Azure RMS protection by using File Server Resource Manager. 粘贴该脚本的内容,并在你自己的计算机上将该文件命名为 RMS-Protect-FCI.ps1Paste the contents of the script and name the file RMS-Protect-FCI.ps1 on your own computer.

  2. 查看脚本,然后进行以下更改:Review the script and make the following changes:

    • 搜索以下字符串并将其替换为自己的 AppPrincipalId,将在 Set-RMSServerAuthentication cmdlet 中使用此 AppPrincipalId 连接到 Azure 权限管理服务:Search for the following string and replace it with your own AppPrincipalId that you use with the Set-RMSServerAuthentication cmdlet to connect to the Azure Rights Management service:

      <enter your AppPrincipalId here>
      

      例如,脚本可能如下所示:For example, the script might look like this:

      [Parameter(Mandatory = $false)]

      [Parameter(Mandatory = $false)] [string]$AppPrincipalId = "b5e3f76a-b5c2-4c96-a594-a0807f65bba4",

    • 搜索以下字符串并将其替换为你自己的对称密钥,你将在 Set-RMSServerAuthentication cmdlet 中使用此对称密钥连接到 Azure Rights Management 服务:Search for the following string and replace it with your own symmetric key that you use with the Set-RMSServerAuthentication cmdlet to connect to the Azure Rights Management service:

      <enter your key here>
      

      例如,脚本可能如下所示:For example, the script might look like this:

      [Parameter(Mandatory = $false)]

      [string]$SymmetricKey = "zIeMu8zNJ6U377CLtppkhkbl4gjodmYSXUVwAO5ycgA="

    • 搜索以下字符串并将其替换为你自己的 BposTenantId(租户 ID),你将在 Set-RMSServerAuthentication cmdlet 中使用此对称密钥连接到 Azure Rights Management 服务:Search for the following string and replace it with your own BposTenantId (tenant ID) that you use with the Set-RMSServerAuthentication cmdlet to connect to the Azure Rights Management service:

      <enter your BposTenantId here>
      

      例如,脚本可能如下所示:For example, the script might look like this:

      [Parameter(Mandatory = $false)]

      [string]$BposTenantId = "23976bc6-dcd4-4173-9d96-dad1f48efd42",

  3. 为脚本签名。Sign the script. 如果未为脚本签名(更安全),则必须在运行该脚本的服务器上配置 Windows PowerShell。If you do not sign the script (more secure), you must configure Windows PowerShell on the servers that run it. 例如,使用“以管理员身份运行”**** 选项运行 Windows PowerShell 会话,然后键入:“Set-ExecutionPolicy RemoteSigned”****。For example, run a Windows PowerShell session with the Run as Administrator option, and type: Set-ExecutionPolicy RemoteSigned. 但是,当未签名的脚本被存储在此服务器上时,此配置将允许所有未签名的脚本运行(不太安全)。However, this configuration lets all unsigned scripts run when they are stored on this server (less secure).

    有关为 Windows PowerShell 脚本签名的详细信息,请参阅 PowerShell 文档库中的 about_SigningFor more information about signing Windows PowerShell scripts, see about_Signing in the PowerShell documentation library.

  4. 将文件本地保存到运行使用文件分类基础结构的文件资源管理器的每个文件服务器上。Save the file locally on each file server that runs File Resource Manager with file classification infrastructure. 例如,将文件保存到 C:\RMS-Protection 中。For example, save the file in C:\RMS-Protection. 如果你使用不同的路径或文件夹名称,则选择不含空格的路径和文件夹。If you use a different path or folder name, choose a path and folder that does not include spaces. 使用 NTFS 权限保护此文件,使未经授权的用户不能修改它。Secure this file by using NTFS permissions so that unauthorized users cannot modify it.

现在,你可以开始配置文件服务器资源管理器。You're now ready to start configuring File Server Resource Manager.

为 Rights Management (RMS) 创建分类属性Create a classification property for Rights Management (RMS)

  • 在文件服务器资源管理器中,为“分类管理”创建新的本地属性:In File Server Resource Manager, Classification Management, create a new local property:

    • 名称:键入 RMSName: Type RMS

    • 说明: 键入“Rights Management 保护” ****Description: Type Rights Management protection

    • 属性类型:选择“是/否”****Property Type: Select Yes/No

    • :选择“是” ****Value: Select Yes

我们现在可以创建使用此属性的分类规则。We can now create a classification rule that uses this property.

创建分类规则 (Classify for RMS)Create a classification rule (Classify for RMS)

  • 创建新的分类规则:Create a new classification rule:

    • 在“常规”选项卡上****:On the General tab:

      • 名称:键入 Classify for RMSName: Type Classify for RMS

      • 已启用:保留默认设置,即选中此复选框。Enabled: Keep the default, which is that this checkbox is selected.

      • 说明:键入“对<文件夹名称>中的所有文件进行分类以便使用 Rights Management”****。Description: Type Classify all files in the <folder name> folder for Rights Management.

        将* < 文件夹名称 > *替换为所选的文件夹名称。Replace <folder name> with your chosen folder name. 例如,“为 Rights Management 的 C:\FileShare 文件夹中的所有文件分类”****For example, Classify all files in the C:\FileShare folder for Rights Management

      • 范围:添加所选的文件夹。Scope: Add your chosen folder. 例如,C:\FileShareFor example, C:\FileShare.

        请勿选择复选框。Do not select the checkboxes.

    • 在“分类”选项卡上****:On the Classification tab:

    • 分类方法:选择“文件夹分类器” ****Classification method: Select Folder Classifier

    • 属性 名称:选择 RMSProperty name: Select RMS

    • 属性 :选择“是” ****Property value: Select Yes

虽然可以手动运行分类规则,但是对于正在进行的操作,需要按计划运行此规则,使新文件使用 RMS 属性进行分类。Although you can run the classification rules manually, for ongoing operations, you want this rule to run on a schedule so that new files are classified with the RMS property.

配置分类计划Configure the classification schedule

  • 在“自动分类”选项卡上****:On the Automatic Classification tab:

    • 启用固定日程安排:选中此复选框。Enable fixed schedule: Select this checkbox.

    • 配置所有要运行的分类规则的日程安排,其中包括要使用 RMS 属性为文件分类的新规则。Configure the schedule for all classification rules to run, which includes our new rule to classify files with the RMS property.

    • 允许对新文件进行连续分类:选中此复选框以便将新文件进行分类****。Allow continuous classification for new files: Select this check box so that new files are classified.

    • 可选:进行任何其他所需的更改,例如,为报告和通知配置选项。Optional: Make any other changes that you want, such as configuring options for reports and notifications.

现在你已完成分类配置,已可以配置管理任务,以将 RMS 保护应用于这些文件。Now you've completed the classification configuration, you're ready to configure a management task to apply the RMS protection to the files.

创建自定义文件管理任务(使用 RMS 保护文件)Create a custom file management task (Protect files with RMS)

  • 在“文件管理任务”中,创建新的文件管理任务****:In File Management Tasks, create a new file management task:

    • 在“常规”选项卡上****:On the General tab:

      • 任务名称:键入 Protect files with RMSTask name: Type Protect files with RMS

      • 保留选中“启用”**** 复选框。Keep the Enable checkbox selected.

      • 说明:键入使用 Windows PowerShell 脚本通过 Rights Management 和模板保护<文件夹名称>中的文件。Description: Type Protect files in <folder name> with Rights Management and a template by using a Windows PowerShell script.

        将* < 文件夹名称 > *替换为所选的文件夹名称。Replace <folder name> with your chosen folder name. 例如,“使用 Windows PowerShell 脚本通过 Rights Management 和模板保护 C:\FileShare 中的文件”****For example, Protect files in C:\FileShare with Rights Management and a template by using a Windows PowerShell script

      • 范围:选择所选的文件夹。Scope: Select your chosen folder. 例如,C:\FileShareFor example, C:\FileShare.

        请勿选择复选框。Do not select the checkboxes.

    • 在“操作”选项卡上****:On the Action tab:

      • 类型:选择“自定义” ****Type: Select Custom

      • 可执行文件:指定以下项:Executable: Specify the following:

        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        

        如果 Windows 不在 C: 驱动器上,请修改此路径或浏览到此文件。If Windows is not on your C: drive, modify this path or browse to this file.

      • 参数:指定下列各项,为<路径>和<模板 ID>提供自己的值:Argument: Specify the following, supplying your own values for <path> and <template ID>:

        -Noprofile -Command "<path>\RMS-Protect-FCI.ps1 -File '[Source File Path]' -TemplateID <template GUID> -OwnerMail '[Source File Owner Email]'"
        

        例如,如果你将该脚本复制到 C:\RMS-Protection 并且从必备组件找到的模板 ID 是 e6ee2481-26b9-45e5-b34a-f744eacd53b0,请指定以下项:For example, if you copied the script to C:\RMS-Protection and the template ID you identified from the prerequisites is e6ee2481-26b9-45e5-b34a-f744eacd53b0, specify the following:

        -Noprofile -Command "C:\RMS-Protection\RMS-Protect-FCI.ps1 -File '[Source File Path]' -TemplateID e6ee2481-26b9-45e5-b34a-f744eacd53b0 -OwnerMail '[Source File Owner Email]'"

        在此命令中,[Source File Path] 和 [Source File Owner Email] 都是特定于 FCI 的变量,因此键入这些项时要与出现在之前的命令中的内容完全一致********。In this command, [Source File Path] and [Source File Owner Email] are both FCI-specific variables, so type these exactly as they appear in the preceding command. 第一个变量由 FCI 用于自动指定文件夹中标识的文件,第二个变量供 FCI 用于自动检索所标识文件的命名所有者的电子邮件地址。The first variable is used by FCI to automatically specify the identified file in the folder, and the second variable is for FCI to automatically retrieve the email address of the named Owner of the identified file. 对文件夹中的每个文件重复执行此命令,在我们的示例中为 C:\FileShare 文件夹中还使用 RMS 作为文件分类属性的每个文件。This command is repeated for each file in the folder, which in our example, is each file in the C:\FileShare folder that additionally, has RMS as a file classification property.

        备注

        -OwnerMail [Source File Owner Email] 参数和值可确保在文件受保护之后,向文件的原始所有者授予文件的 Rights Management 所有者的权限。The -OwnerMail [Source File Owner Email] parameter and value ensures that the original owner of the file is granted the Rights Management owner of the file after it is protected. 此配置可确保原始文件所有者对其自己的文件具有所有 Rights Management 权限。This configuration ensures that the original file owner has all Rights Management rights to their own files. 当域用户创建文件时,将自动使用文件 Owner 属性中的用户帐户名称从 Active Directory 中检索电子邮件地址。When files are created by a domain user, the email address is automatically retrieved from Active Directory by using the user account name in the file's Owner property. 要做到这一点,文件服务器必须与用户在同一个域或受信任的域中。To do this, the file server must be in the same domain or trusted domain as the user.

        尽可能将原始所有者分配给受保护的文档,以确保这些用户继续对他们创建的文件具有完全控制权。Whenever possible, assign the original owners to protected documents, to ensure that these users continue to have full control over the files that they created. 但是,如果按之前的命令中所示使用 [Source File Owner Email] 变量并且文件没有将域用户定义为所有者(例如,使用本地帐户创建的该文件,因此所有者显示 SYSTEM),则脚本会失败。However, if you use the [Source File Owner Email] variable as in the preceding command, and a file does not have a domain user defined as the owner (for example, a local account was used to create the file, so the owner displays SYSTEM), the script fails.

        对于未使用域用户作为所有者的文件,你可以作为域用户自行复制并保存这些文件,使你只是成为这些文件的所有者。For files that do not have a domain user as owner, you can either copy and save these files yourself as a domain user, so that you become the owner for just these files. 或者,如果你有权限,你可以手动更改所有者。Or, if you have permissions, you can manually change the owner. 或者,你也可以提供特定电子邮件地址(例如,你自己的电子邮件地址或 IT 部门的组地址)而不使用 [Source File Owner Email] 变量,这意味着你通过使用此脚本保护的所有文件都将使用此电子邮件地址来定义新的所有者。Or alternatively, you can supply a specific email address (such as your own or a group address for the IT department) instead of the [Source File Owner Email] variable, which means that all files you protect by using this script uses this email address to define the new owner.

    • 运行命令的访问权限:选择“本地系统” ****Run the command as: Select Local System

    • 在“条件”选项卡上****:On the Condition tab:

      • 属性:选择“是/否” RMSProperty: Select RMS

      • 运营商:选择“等于”****Operator: Select Equal

      • :选择“是” ****Value: Select Yes

    • 在“计划”**** 选项卡上:On the Schedule tab:

      • 运行时间:配置你的首选计划。Run at: Configure your preferred schedule.

        安排足够的的时间让脚本可以完成。Allow plenty of time for the script to complete. 尽管此解决方案保护文件夹中的所有文件,但该脚本每次对于每个文件只运行一次。Although this solution protects all files in the folder, the script runs once for each file, each time. 尽管这比同时保护所有文件(Azure 信息保护客户端支持此方式)要费时,但 FCI 的此逐个文件配置更功能强大。Although this takes longer than protecting all the files at the same time, which the Azure Information Protection client supports, this file-by-file configuration for FCI is more powerful. 例如,使用 [Source File Owner Email] 变量时,受保护的文件可以具有不同的所有者(保留原始所有者),并且如果稍后更改配置以有选择性地保护文件(而不是文件夹中的所有文件),则需要此逐个文件操作。For example, the protected files can have different owners (retain the original owner) when you use the [Source File Owner Email] variable, and this file-by-file action is required if you later change the configuration to selectively protect files rather than all files in a folder.

      • 连续对新文件运行:选中此复选框。Run continuously on new files: Select this checkbox.

通过手动运行规则和任务来测试配置Test the configuration by manually running the rule and task

  1. 运行分类规则:Run the classification rule:

    1. 单击“分类规则”>“立即使用所有规则运行分类” > ****Click Classification Rules > Run Classification With All Rules Now

    2. 单击“等待分类完成”,然后单击“确定”********。Click Wait for classification to complete, and then click OK.

  2. 等待“运行分类”对话框关闭,然后在自动显示的报告中查看结果****。Wait for the Running Classification dialog box to close and then view the results in the automatically displayed report. 你应该会在“属性”字段中看到“1”,并可以看到你的文件夹中的文件数********。You should see 1 for the Properties field and the number of files in your folder. 通过使用文件资源管理器检查所选文件夹中的文件的属性来进行确认。Confirm by using File Explorer and checking the properties of files in your chosen folder. 在“分类”选项卡上,你应该会看到 RMS 为属性名称,“是”为其**值**********。On the Classification tab, you should see RMS as a property name and Yes for its Value.

  3. 运行文件管理任务:Run the file management task:

    1. 单击“文件管理任务”>“使用 RMS 保护文件” > >“立即运行文件管理任务” > ****Click File Management Tasks > Protect files with RMS > Run File Management Task Now

    2. 单击“等待任务完成”,然后单击“确定”********。Click Wait for the task to complete, and then click OK.

  4. 等待“运行文件管理任务”对话框关闭,然后在自动显示的报告中查看结果****。Wait for the Running File Management Task dialog box to close and then view the results in the automatically displayed report. 你应在“文件”字段中看到所选文件夹中的文件数****。You should see the number of files that are in your chosen folder in the Files field. 确认所选文件夹中的文件现已受权限管理保护。Confirm that the files in your chosen folder are now protected by Rights Management. 例如,如果所选文件夹是 C:\FileShare,则在 Windows PowerShell 会话中键入以下命令并确认没有文件处于“未保护”**** 状态:For example, if your chosen folder is C:\FileShare, type the following command in a Windows PowerShell session and confirm that no files have a status of Unprotected:

    foreach ($file in (Get-ChildItem -Path C:\FileShare -Force | where {!$_.PSIsContainer})) {Get-RMSFileStatus -f $file.PSPath}
    

    提示

    一些故障排除技巧:Some troubleshooting tips:

    • 如果你在报告中看到“0”****(而不是你的文件夹中的文件数),则此输出指示脚本未运行。If you see 0 in the report, instead of the number of files in your folder, this output indicates that the script did not run. 首先,通过在 Windows PowerShell ISE 中加载脚本以验证脚本内容来检查脚本本身,然后尝试在相同的 PowerShell 会话中运行脚本一次,查看是否显示任何错误。First, check the script itself by loading it in Windows PowerShell ISE to validate the script contents and try running it one time in the same PowerShell session, to see if any errors are displayed. 如果未指定任何参数,该脚本会尝试连接到 Azure 权限管理服务并向其进行身份验证。With no arguments specified, the script tries to connect and authenticate to the Azure Rights Management service.

      • 如果该脚本报告无法连接到 Azure 权限管理服务 (Azure RMS),请检查它为服务主体帐户显示的值,该帐户在脚本中指定。If the script reports that it couldn't connect to the Azure Rights Management service (Azure RMS), check the values it displays for the service principal account, which you specified in the script. 有关如何创建此服务主体帐户的详细信息,请参阅 Azure 信息保护客户端管理员指南中的先决条件 3:在不交互的情况下保护或取消保护文件For more information about how to create this service principal account, see Prerequisite 3: To protect or unprotect files without interaction from the Azure Information Protection client admin guide.
      • 如果该脚本报告可连接到 Azure RMS,接下来通过直接运行服务器上 Windows PowerShell 的 Get-RMSTemplate 检查是否可找到指定的模板。If the script reports that it could connect to Azure RMS, next check that it can find the specified template by running Get-RMSTemplate directly from Windows PowerShell on the server. 你应该会看到你所指定的模板返回到结果中。You should see the template you specified returned in the results.
    • 如果该脚本单独在 Windows PowerShell ISE 中运行时未出现错误,请尝试从 PowerShell 会话中按以下方式运行它:指定要保护的文件名,并且不带 -OwnerEmail 参数:If the script by itself runs in Windows PowerShell ISE without errors, try running it as follows from a PowerShell session, specifying a file name to protect and without the -OwnerEmail parameter:

      powershell.exe -Noprofile -Command "<path>\RMS-Protect-FCI.ps1 -File '<full path and name of a file>' -TemplateID <template GUID>"
      
      • 如果该脚本在此 Windows PowerShell 会话中成功运行,请在文件管理任务操作中检查 ExecutiveArgument 的条目。If the script runs successfully in this Windows PowerShell session, check your entries for Executive and Argument in the file management task action. 如果已指定 -OwnerEmail [Source File Owner Email],请尝试删除此参数。If you have specified -OwnerEmail [Source File Owner Email], try removing this parameter.

        如果文件管理任务在没有 -OwnerEmail [Source File Owner Email] 的情况下成功运行,请检查未受保护的文件是否有域用户(而不是 SYSTEM)列出为文件所有者。If the file management task works successfully without -OwnerEmail [Source File Owner Email], check that the unprotected files have a domain user listed as the file owner, rather than SYSTEM. 若要执行此检查,请使用文件的属性的“安全”**** 选项卡,然后单击“高级”****。To make this check, use the Security tab for the file's properties, and then click Advanced. 所有者值将紧接着显示在文件名称之后。The Owner value is displayed immediately after the file Name. 另外,请验证文件服务器是否位于同一域或受信任的域中,以便从 Active Directory 域服务中查找该用户的电子邮件地址。Also, verify that the file server is in the same domain or a trusted domain to look up the user's email address from Active Directory Domain Services.

    • 如果你在报告中看到正确的文件数,但文件未受保护,请尝试使用 Protect-RMSFile cmdlet 手动保护文件以查看是否显示任何错误。If you see the correct number of files in the report but the files are not protected, try protecting the files manually by using the Protect-RMSFile cmdlet, to see if any errors are displayed.

在确认这些任务成功运行之后,可以关闭文件资源管理器。When you have confirmed that these tasks run successfully, you can close File Resource Manager. 计划的任务运行时,会自动对新文件进行分类并给予保护。New files are automatically classified and protected when the scheduled tasks run.

对 Rights Management 模板进行更改所需的操作Action required if you make changes to the Rights Management template

如果对脚本引用的 Rights Management 模板进行更改,运行脚本以保护文件的计算机帐户不会自动获得更新的模板。If you make changes to the Rights Management template that the script references, the computer account that runs the script to protect the files does not automatically get the updated template. 在脚本中,查找出 Set-RMSConnection 函数中注释掉的 Get-RMSTemplate -Force 命令,并删除行开头的注释字符。In the script, locate the commented out Get-RMSTemplate -Force command in the Set-RMSConnection function, and remove the comment character at the beginning of the line. 下次该脚本运行时,会下载更新的模板。The next time the script runs, the updated template is downloaded. 若要优化性能,以便不会不必要地下载模板,则可以再次注释掉此行。To optimize performance so that templates don't download unnecessarily, you can then comment out this line again.

如果通过对模板的更改就足以重新保护文件服务器上的文件,则可以通过运行 Protect-RMSFile cmdlet 与对文件具有“导出”或“完全控制”使用权限的帐户以交互方式执行此操作。If the changes to the template are important enough to reprotect the files on the file server, you can do this interactively by running the Protect-RMSFile cmdlet with an account that has the Export or Full Control usage rights for the files.

此外,如果发布了想要用于 FCI 的新模板,并且在自定义文件管理任务的参数行中更改模板 ID,请在脚本中运行该行。Also run this line in the script if you publish a new template that you want to use for FCI, and change the template ID in the argument line for the custom file management task.

修改说明可有选择性地保护文件Modifying the instructions to selectively protect files

如果按前面的说明正常操作,则可轻松修改它们以实现更复杂的配置。When you have the preceding instructions working, it's then easy to modify them for a more sophisticated configuration. 例如,使用同一个脚本保护文件,但只针对包含个人身份信息的文件,然后可能选择具有更多限制权限的模板。For example, protect files by using the same script but only for files that contain personal identifiable information, and perhaps select a template that has more restrictive rights.

若要进行此修改,请使用内置分类属性之一(例如“个人身份信息”****)或创建你自己的新属性。To make this modification, use one of the built-in classification properties (for example, Personally Identifiable Information) or create your own new property. 然后创建一个使用此属性的新规则。Then create a new rule that uses this property. 例如,可能会选择“内容分类器”,为“个人身份信息”属性选择值“高”,并配置字符串或表达式模式(如字符串“出生日期”)以标识要为此属性配置的文件****************。For example, you might select the Content Classifier, choose the Personally Identifiable Information property with a value of High, and configure the string or expression pattern that identifies the file to be configured for this property (such as the string "Date of Birth").

现在你需要做的只是创建新的文件管理任务(该任务使用同一脚本但可能使用不同模板),并为刚配置的分类属性配置条件。Now all you need to do is create a new file management task that uses the same script but perhaps with a different template, and configure the condition for the classification property that you have just configured. 例如,不是我们前面配置的条件(RMS 属性等于“是”),而是选择“运算符”值设为“等于”且“值”为“高”的“个人身份信息”属性************************。For example, instead of the condition that we configured previously (RMS property, Equal, Yes), select the Personally Identifiable Information property with the Operator value set to Equal and the Value of High.

后续步骤Next steps

你可能想知道:Windows Server FCI 和 Azure 信息保护扫描程序有何区别?You might be wondering: What’s the difference between Windows Server FCI and the Azure Information Protection scanner?