Updated: 2007-04-30

Users can restrict permission to content documents and e-mail messages in the 2007 Microsoft Office system by using Information Rights Management (IRM). You can configure IRM options in your organization to encrypt document properties for IRM content, specify the down-level text that appears when users without IRM-enabled software receive content with IRM permissions, and so on.

NoteNote:

This topic is for Office administrators. To learn about using IRM to apply permissions to Office documents or e-mail messages, see Information Rights Management on Office Online.

Configuring IRM Group Policy settings

You can lock down many settings to customize IRM by using the Office Group Policy template (Office12.adm). You can also use the Office Customization Tool (OCT) to configure default settings, which enables users to change the settings. The OCT settings are in corresponding locations on the Modify user settings page of the OCT. In addition, there are IRM configuration options that can only be configured by using registry key settings. For a list of all IRM registry keys, see Configuring IRM registry key options.

The Outlook template and other ADM files can be downloaded from 2007 Office System Administrative Templates (ADM) on the Microsoft Download Center. Learn more about using the OCT by visiting Customize the 2007 Office system.

To configure IRM options in Group Policy

  1. In Group Policy, load the 2007 Office system template (Office12.adm) and go to User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions.

  2. Double-click the option that you want to configure. For example, to prevent users from applying IRM permissions in all Office applications, double-click Disable Information Rights Management User Interface.

  3. Click Enabled.

  4. Click OK.

The settings you can configure for IRM in Group Policy and by using the OCT are listed in the following table.

IRM option Description

Prevent users from changing permission on rights managed content

Users can consume content that already includes IRM permissions, but cannot apply IRM permissions to new content nor edit the rights on a document.

Message displayed to users who cannot view a rights-managed e-mail

Specify the text of the wrapper e-mail message sent with rights-managed e-mail.

URL for location of document templates displayed when applications do not recognize rights-managed documents

Provide the path to a folder with document, spreadsheet, and presentation files to be used as templates for an unencrypted wrapper for files with rights-managed content received by users with previous versions of Office.

Disable Information Rights Management User Interface

Disable all Rights Management-related options within the user interface of all Office applications.

Additional permissions request URL

Specify the location where a user can obtain more information about getting access to IRM content.

Allow users with earlier versions of Office to read with browsers…

Enable users without the Microsoft Office 2007 system to view rights-managed content by using the Rights Management Add-in for Windows Internet Explorer.

Always required users to connect

Users opening a rights-managed Office document must connect to the Internet or local area network to confirm by Passport or RMS that they have a valid IRM license.

Always expand groups in Office when restriction permission for documents

Group name is automatically expanded to display all the members of the group when users apply permissions to a document by selecting a group name in the Permissions dialog box.

Never allow users to specify groups when restricting permission for documents

Return an error when users select a group in the Permission dialog box: ''You cannot publish content to Distribution Lists. You may only specify e-mail addresses for individual users.''

Active Directory timeout for querying one entry for group expansion

Specify the timeout value for querying an Active Directory entry when expanding a group.

Disable Microsoft Passport service for content with restricted permission

Users cannot open content created by a Passport authenticated account.

Specify Permission Policy Path

Display in the Permission dialog box permission policy templates found in the folder specified.

Do not allow users to upgrade Information Rights Management configuration

Do not allow users to run repair to change their Information Rights Management configuration.

You can also configure several IRM settings for Office Outlook 2007. For more information about configuring IRM for Outlook, see Configure Information Rights Management in Outlook 2007.

Configuring IRM registry key options

IRM settings can be configured by Group Policy, by registry key, or both. The following tables list the IRM registry key settings in 2007 Office system and the corresponding Group Policy settings, when the setting can be locked down by using Group Policy.

The following IRM registry settings are located in HKCU\Software\Microsoft\Office\12.0\Common\DRM. Group Policy settings are in User Configuration\Microsoft Office 2007 system\Manage Restricted Permissions.

Name of Reg Entry Reg Entry Type Values for Reg Entry Group Policy setting or description

Disable

DWORD

0 = No functionality impacted by this registry key

1 = All IRM functionality is removed; IRM is disabled

Disable Information Rights Management User Interface

DisableCreation

DWORD

1 (or non-zero) = An Enterprise Install behaves just like a Standard install. Users cannot create IRM content or edit the rights on a doc, but they can consume previously created content.

0 = IRM content creation is allowed when included in the product SKU

Prevent users from changing permissions on rights managed content

IncludeHTML

DWORD

1 = Include HTML stream

0 = Do not include HTML stream

Allow Users With Earlier Version of Office to Read With Browsers

DownlevelText

String

The text that appears in the wrapper e-mail. The default text is: If you are not running an e-mail application that supports messages with restricted permission, such as Microsoft Office Outlook 2003 or 2007, you can view this message by downloading the Rights Management Add-on for Microsoft Internet Explorer from http://r.office.microsoft.com/r/rlidRestrictedPermissionViewer?clid=1033.

The CLID in the hyperlink is localized to the default language of the sender.

Message displayed to users who cannot view a rights-managed e-mail

DownlevelTemplatePath

String

The path to a directory that stores templates. Templates are Office document templates.

URL for location of document templates displayed when applications do not recognize rights-managed documents

CorpCertificationServer

String

URL to corporate certification server

No corresponding Group Policy setting. Typically the AD is used to specify the RMS server. This setting allows you to override the location of the Windows RMS specified in Active Directory for certification.

AdminTemplatePath

String

The path to the RMS templates. All templates should be stored in the same directory. Path can include environment variables: for example, %userprofile%\application data.

Specify Permission Policy Path

DisablePassportCertification

DWORD

0 = No functionality impacted by this reg key

1 = Disable passport

Disable Microsoft Passport service for content with restricted permission

RequestPermissionURL

String

The URL of the person who can grant additional permissions. For example: mailto:someone@contoso.com.

Additional Permissions Request URL

RequireConnection

DWORD

1 = The box is checked by default and a connection is required.

0 = The box is cleared; users do not need a connection.

Always require users to connect to verify permissions

RequestPermission

DWORD

1 = The box is checked.

0 = The box is cleared.

No corresponding Group Policy setting. This registry key toggles the default value of the "Users can request additional permissions from" check box.

DoNotAcquireDRMLicenseOnSync

DWORD

1 = Outlook will not try to acquire licenses during the message synchronization.

0 = The license is automatically acquired.

No corresponding Group Policy setting. When Outlook downloads an IRM e-mail message, the license to view IRM content is automatically acquired.

NeverAllowDLs

DWORD

0 = Allow distribution lists.

1 = Disable distribution lists.

Never allow users to specify groups when restricting permission for documents

CloudCertificationServer

String

URL to custom cloud certification server

No corresponding Group Policy setting.

CloudLicenseServer

String

URL of the licensing server

No corresponding Group Policy setting.

DRMPostSetupURL

String

URL of RMS client

URL where users can download the Windows Rights Management Services client.

DoNotUseOutlookByDefault

DWORD

0 = Outlook is used

1 = Outlook is not used

No corresponding Group Policy setting. The permissions dialog uses Outlook to validate e-mail addresses entered in that dialog. This causes an instance of Outlook to be started when restricting permissions. Disable the option by using this key.

DisableRepair

DWORD

0 = Repair works normally.

1 = Repair is disabled.

Do not allow users to upgrade Information Rights Management configuration

The following IRM registry setting is located in HKCU\Software\Microsoft\Office\12.0\Common\DRM\AutoExpandDLs. The corresponding Group Policy setting is in User Configuration\Microsoft Office 2007 system\Manage Restricted Permissions.

Name of Reg Entry Reg Entry Type Values for Reg Entry Group Policy setting

AutoExpandDLsEnable

DWORD

0 = Do not expand distribution lists in Permissions dialog

1 = Expand distribution lists in Permissions dialog

Always expand groups in Office when restricting permissions for documents

The following IRM registry setting is located in HKCU\Software\Microsoft\Office\12.0\Common\DRM\LicenseServers. There is no corresponding Group Policy setting.

Name of Reg Entry Reg Entry Type Values for Reg Entry Description

LicenseServers

Key/Hive. Contains DWORD values that have the name of a license server.

Set to the server URL. If the value of the DWORD is 1, then Office will not prompt to acquire a license (it will just get it).

If the value is zero or there is no registry entry for that server, Office prompts for a license.

Example: If 'http://foo/_wmcs/licensing = 1' is a value for this setting, then a user attempting to acquire a license from that server to open a rights-managed document would not be prompted for a license.

The following IRM registry setting is located in HKCU\Software\Microsoft\Office\12.0\Common\Security. There is no corresponding Group Policy setting.

Name of Reg Entry Reg Entry Type Values for Reg Entry Description

DRMEncryptProperty

DWORD

1 = The file metadata is encrypted.

0 = The metadata is stored in clear text. The default value is 0.

Specify whether to encrypt all metadata stored inside a rights-managed file.

For 2007 Office system Office Open XML file formats (for example, docx, xlsx, pptx, and so on), users can decide to encrypt the Office metadata stored inside a rights-managed file. Users can encrypt all Office metadata, including hyperlink references, or leave content unencrypted so other applications can access the data.

Users can opt to encrypt the metadata by setting a registry key. You can set a default option for users by deploying the registry setting. There is no option for encrypting some of the metadata: all metadata is encrypted or none is encrypted.

In addition, this registry setting does not determine whether non-Office client metadata storage—such as the storage SharePoint creates—is encrypted.

This encryption choice does not apply to Microsoft Office 2003 or other previous file formats. 2007 Office system handles earlier formats in the same way as Microsoft Office 2003.

See Also