Updated: 2007-04-30
Users can restrict permission to content documents and e-mail messages in the 2007 Microsoft Office system by using Information Rights Management (IRM). You can configure IRM options in your organization to encrypt document properties for IRM content, specify the down-level text that appears when users without IRM-enabled software receive content with IRM permissions, and so on.
Note: |
---|
This topic is for Office administrators. To learn about using IRM to apply permissions to Office documents or e-mail messages, see Information Rights Management on Office Online. |
Configuring IRM Group Policy settings
You can lock down many settings to customize IRM by using the Office Group Policy template (Office12.adm). You can also use the Office Customization Tool (OCT) to configure default settings, which enables users to change the settings. The OCT settings are in corresponding locations on the Modify user settings page of the OCT. In addition, there are IRM configuration options that can only be configured by using registry key settings. For a list of all IRM registry keys, see Configuring IRM registry key options.
The Outlook template and other ADM files can be downloaded from 2007 Office System Administrative Templates (ADM) on the Microsoft Download Center. Learn more about using the OCT by visiting Customize the 2007 Office system.
To configure IRM options in Group Policy
-
In Group Policy, load the 2007 Office system template (Office12.adm) and go to User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions.
-
Double-click the option that you want to configure. For example, to prevent users from applying IRM permissions in all Office applications, double-click Disable Information Rights Management User Interface.
-
Click Enabled.
-
Click OK.
The settings you can configure for IRM in Group Policy and by using the OCT are listed in the following table.
IRM option | Description |
---|---|
Prevent users from changing permission on rights managed content |
Users can consume content that already includes IRM permissions, but cannot apply IRM permissions to new content nor edit the rights on a document. |
Message displayed to users who cannot view a rights-managed e-mail |
Specify the text of the wrapper e-mail message sent with rights-managed e-mail. |
URL for location of document templates displayed when applications do not recognize rights-managed documents |
Provide the path to a folder with document, spreadsheet, and presentation files to be used as templates for an unencrypted wrapper for files with rights-managed content received by users with previous versions of Office. |
Disable Information Rights Management User Interface |
Disable all Rights Management-related options within the user interface of all Office applications. |
Additional permissions request URL |
Specify the location where a user can obtain more information about getting access to IRM content. |
Allow users with earlier versions of Office to read with browsers… |
Enable users without the Microsoft Office 2007 system to view rights-managed content by using the Rights Management Add-in for Windows Internet Explorer. |
Always required users to connect |
Users opening a rights-managed Office document must connect to the Internet or local area network to confirm by Passport or RMS that they have a valid IRM license. |
Always expand groups in Office when restriction permission for documents |
Group name is automatically expanded to display all the members of the group when users apply permissions to a document by selecting a group name in the Permissions dialog box. |
Never allow users to specify groups when restricting permission for documents |
Return an error when users select a group in the Permission dialog box: ''You cannot publish content to Distribution Lists. You may only specify e-mail addresses for individual users.'' |
Active Directory timeout for querying one entry for group expansion |
Specify the timeout value for querying an Active Directory entry when expanding a group. |
Disable Microsoft Passport service for content with restricted permission |
Users cannot open content created by a Passport authenticated account. |
Specify Permission Policy Path |
Display in the Permission dialog box permission policy templates found in the folder specified. |
Do not allow users to upgrade Information Rights Management configuration |
Do not allow users to run repair to change their Information Rights Management configuration. |
You can also configure several IRM settings for Office Outlook 2007. For more information about configuring IRM for Outlook, see Configure Information Rights Management in Outlook 2007.
Configuring IRM registry key options
IRM settings can be configured by Group Policy, by registry key, or both. The following tables list the IRM registry key settings in 2007 Office system and the corresponding Group Policy settings, when the setting can be locked down by using Group Policy.
The following IRM registry settings are located in HKCU\Software\Microsoft\Office\12.0\Common\DRM. Group Policy settings are in User Configuration\Microsoft Office 2007 system\Manage Restricted Permissions.
Name of Reg Entry | Reg Entry Type | Values for Reg Entry | Group Policy setting or description |
---|---|---|---|
Disable |
DWORD |
0 = No functionality impacted by this registry key 1 = All IRM functionality is removed; IRM is disabled |
Disable Information Rights Management User Interface |
DisableCreation |
DWORD |
1 (or non-zero) = An Enterprise Install behaves just like a Standard install. Users cannot create IRM content or edit the rights on a doc, but they can consume previously created content. 0 = IRM content creation is allowed when included in the product SKU |
Prevent users from changing permissions on rights managed content |
IncludeHTML |
DWORD |
1 = Include HTML stream 0 = Do not include HTML stream |
Allow Users With Earlier Version of Office to Read With Browsers |
DownlevelText |
String |
The text that appears in the wrapper e-mail. The default text is: If you are not running an e-mail application that supports messages with restricted permission, such as Microsoft Office Outlook 2003 or 2007, you can view this message by downloading the Rights Management Add-on for Microsoft Internet Explorer from http://r.office.microsoft.com/r/rlidRestrictedPermissionViewer?clid=1033. The CLID in the hyperlink is localized to the default language of the sender. |
Message displayed to users who cannot view a rights-managed e-mail |
DownlevelTemplatePath |
String |
The path to a directory that stores templates. Templates are Office document templates. |
URL for location of document templates displayed when applications do not recognize rights-managed documents |
CorpCertificationServer |
String |
URL to corporate certification server |
No corresponding Group Policy setting. Typically the AD is used to specify the RMS server. This setting allows you to override the location of the Windows RMS specified in Active Directory for certification. |
AdminTemplatePath |
String |
The path to the RMS templates. All templates should be stored in the same directory. Path can include environment variables: for example, %userprofile%\application data. |
Specify Permission Policy Path |
DisablePassportCertification |
DWORD |
0 = No functionality impacted by this reg key 1 = Disable passport |
Disable Microsoft Passport service for content with restricted permission |
RequestPermissionURL |
String |
The URL of the person who can grant additional permissions. For example: mailto:someone@contoso.com. |
Additional Permissions Request URL |
RequireConnection |
DWORD |
1 = The box is checked by default and a connection is required. 0 = The box is cleared; users do not need a connection. |
Always require users to connect to verify permissions |
RequestPermission |
DWORD |
1 = The box is checked. 0 = The box is cleared. |
No corresponding Group Policy setting. This registry key toggles the default value of the "Users can request additional permissions from" check box. |
DoNotAcquireDRMLicenseOnSync |
DWORD |
1 = Outlook will not try to acquire licenses during the message synchronization. 0 = The license is automatically acquired. |
No corresponding Group Policy setting. When Outlook downloads an IRM e-mail message, the license to view IRM content is automatically acquired. |
NeverAllowDLs |
DWORD |
0 = Allow distribution lists. 1 = Disable distribution lists. |
Never allow users to specify groups when restricting permission for documents |
CloudCertificationServer |
String |
URL to custom cloud certification server |
No corresponding Group Policy setting. |
CloudLicenseServer |
String |
URL of the licensing server |
No corresponding Group Policy setting. |
DRMPostSetupURL |
String |
URL of RMS client |
URL where users can download the Windows Rights Management Services client. |
DoNotUseOutlookByDefault |
DWORD |
0 = Outlook is used 1 = Outlook is not used |
No corresponding Group Policy setting. The permissions dialog uses Outlook to validate e-mail addresses entered in that dialog. This causes an instance of Outlook to be started when restricting permissions. Disable the option by using this key. |
DisableRepair |
DWORD |
0 = Repair works normally. 1 = Repair is disabled. |
Do not allow users to upgrade Information Rights Management configuration |
The following IRM registry setting is located in HKCU\Software\Microsoft\Office\12.0\Common\DRM\AutoExpandDLs. The corresponding Group Policy setting is in User Configuration\Microsoft Office 2007 system\Manage Restricted Permissions.
Name of Reg Entry | Reg Entry Type | Values for Reg Entry | Group Policy setting |
---|---|---|---|
AutoExpandDLsEnable |
DWORD |
0 = Do not expand distribution lists in Permissions dialog 1 = Expand distribution lists in Permissions dialog |
Always expand groups in Office when restricting permissions for documents |
The following IRM registry setting is located in HKCU\Software\Microsoft\Office\12.0\Common\DRM\LicenseServers. There is no corresponding Group Policy setting.
Name of Reg Entry | Reg Entry Type | Values for Reg Entry | Description |
---|---|---|---|
LicenseServers |
Key/Hive. Contains DWORD values that have the name of a license server. |
Set to the server URL. If the value of the DWORD is 1, then Office will not prompt to acquire a license (it will just get it). If the value is zero or there is no registry entry for that server, Office prompts for a license. |
Example: If 'http://foo/_wmcs/licensing = 1' is a value for this setting, then a user attempting to acquire a license from that server to open a rights-managed document would not be prompted for a license. |
The following IRM registry setting is located in HKCU\Software\Microsoft\Office\12.0\Common\Security. There is no corresponding Group Policy setting.
Name of Reg Entry | Reg Entry Type | Values for Reg Entry | Description |
---|---|---|---|
DRMEncryptProperty |
DWORD |
1 = The file metadata is encrypted. 0 = The metadata is stored in clear text. The default value is 0. |
Specify whether to encrypt all metadata stored inside a rights-managed file. |
For 2007 Office system Office Open XML file formats (for example, docx, xlsx, pptx, and so on), users can decide to encrypt the Office metadata stored inside a rights-managed file. Users can encrypt all Office metadata, including hyperlink references, or leave content unencrypted so other applications can access the data.
Users can opt to encrypt the metadata by setting a registry key. You can set a default option for users by deploying the registry setting. There is no option for encrypting some of the metadata: all metadata is encrypted or none is encrypted.
In addition, this registry setting does not determine whether non-Office client metadata storage—such as the storage SharePoint creates—is encrypted.
This encryption choice does not apply to Microsoft Office 2003 or other previous file formats. 2007 Office system handles earlier formats in the same way as Microsoft Office 2003.