Rights Management Server and Exchange 2010 (Part 7)

If you would like to read the first part in this article series please go to:


If you have read the previous parts of this article, you will no doubt have recognized that throughout this article, we have seen the repeated use of the Do Not Forward RMS template that is supplied with Exchange 2010. Of course, this particular template is very useful in many scenarios within an Exchange organization but at the same time you may be wondering what else you can do with RMS and Exchange 2010 integration. Although this is an article series on the RMS features as they apply to Exchange 2010, I wanted to take a little time within the Active Directory Rights Management Services console to show you how to create custom templates. This will hopefully give you a little bit more of an idea on the overall operation of RMS.

Custom RMS Templates

Any new templates that you create will be stored in the configuration database, and you may remember from part one that we chose the Windows internal database option when installing RMS rather than a specific SQL server, for example. You can also elect to store the templates in a shared folder such that the templates can be made available to clients that are working offline. You will find the configuration option for specifying the shared folder location by selecting the Rights Policy Templates option from the left-hand pane in the Active Directory Rights Management Services snap-in. Towards the bottom of the central pane, there is the option titled Change distributed rights policy templates file location. This is actually shown below in Figure 54 in this article.

By way of an example of the need to create a custom RMS template, consider the scenario where you receive a message that has text such as the following at the bottom of the message:

“This email is sent from an unmonitored account. Please do not reply to this message”.

I’m sure you have seen emails with text similar to this. What if your organization has a need to send emails out from unmonitored accounts? How can you use RMS to prevent users from replying to those messages? Let’s take the scenario where a fictitious mailbox called Sales Report is used to send sales data to a number of users and that we wish to ensure that the recipients of messages sent from the Sales Report mailbox are not able to reply to those messages. What we need to do is to create a new RMS template that prevents users from clicking the ‘reply’ or ‘reply to all’ buttons in Outlook.

Here are the steps required to create the new RMS template. First, we need to create our custom RMS template and to do this you need to work through the following steps:

  1. On the RMS server, run the Active Directory Rights Management Services snap-in, located in the Administrative Tools folder.
  2. From the left-hand pane, select the Rights Policy Templates option and you should be presented with a screen similar to the one shown in Figure 54. As you can see, there are currently no custom templates defined.

Figure 54: Rights Policy Templates

  1. Click the Create distributed rights policy template link and corresponding wizard should be displayed. The first wizard screen is named Add Template Identification Information and this is shown in Figure 55.

Figure 55: Creating a New Rights Policy Template

  1. Click the Add button which will present the Add New Template Identification Information window as shown in Figure 56. In this window, select the relevant language and give the new template a suitable name. You will note that the description field has to be populated with data in order for the Add button to become available. This is because this field is used to populate the banner in Outlook and Outlook Web App (OWA) and therefore the actual users will have visibility of this text. Therefore, be careful how you phrase the text in this field; we will see this text in action a little later.

Figure 56: Entering Rights Policy Template Identification Information

  1. Back at the Add Template Identification Information wizard screen, click Next to advance to the next screen which is named Add User Rights. This is displayed in Figure 57.

Figure 57: The Add User Rights Screen

  1. On the Add User Rights screen, click the Add… button to specify which users or groups will be able to use the information protected by our Do Not Reply template. You will be presented with the Add User or Group window as shown in Figure 58. I want this template to be available to everyone, so that’s the option I have chosen.

Figure 58: Granting Who Can Protect Content With The Template

  1. Back at the Add User Rights screen, I’m going to grant all rights except the Reply and Reply All rights as you can see from Figure 59. Once configured, we have enough information available to actually create the template and therefore we can click the Finish button. I’m not going to cover the expiration, extended policy or revocation settings in this article although feel free to step through these configuration tabs in your own lab environment.

Figure 59: Removing The Reply and Reply All Rights

  1. Once the wizard has been completed, you should be returned to the main Active Directory Rights Management Services snap-in with the new template information shown as you can see from Figure 60. That completes the configuration of the new RMS template.

Figure 60: Successful Creation of New Template

After creation of the new template, you can quickly view a summary of the rights associated with this template by simply selecting the View Rights Summary… option from the action pane. You can see this option in Figure 60 above, approximately half-way down the list of actions in the actions pane. With the Do Not Reply template highlighted and the View Rights Summary option selected, the following window is presented. Note again how the Reply and Reply All options are not enabled for this template.

Figure 61: Successful Creation of New Template

Finally, it is worth noting that if you have configured your templates to be available in a shared folder, it is a good idea to check that they are available in that shared folder as you can see from Figure 62. For each new template that you create, there should be a corresponding XML file created in the shared folder; in the example below, I created a share named RMS on the domain controller that is running Windows 2003.

Figure 62: New Templates in the Shared Folder

Using The New RMS Templates

Once the new RMS template has been created, we need to create a transport protection rule that intercepts messages sent from the Sales Report mailbox and applies the new RMS template. We covered the creation of a new transport protection rule in part six of this article so I am not going to repeat all of the steps here. However, Figure 63 shows how this rule looks in my lab environment.

Figure 63: New Transport Protection Rule Using New RMS Template

Once the transport protection rule has been created, all that we need to do is to send a message from the Sales Report mailbox and confirm that the Reply and Reply All buttons are not available to the end user. This can be seen in Figure 64. Note also that the description text that we supplied earlier is also displayed to the user.

Figure 64: Reply and Reply All Buttons Unavailable


Here in part seven we have focused on how to create a new RMS rights policy template that prevents users from replying to a message in Outlook. As I’m sure you can appreciate, there is much more to RMS configuration than I can cover in this article here. However, although this process may not be something that you do regularly within your environment, I hope that it has given you a good overview of the new template creation process.

If you would like to read the first part in this article series please go to:

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top