AD RMS Policy Template expiration with AD RMS SDK? Possible ? RRS feed

  • Question

  • Hello,

    We all know that AD RMS enable file expiration, if the file expire it will be ciphred and no longer accessible...

    We want to know if there is a way to enable policy expiration (determine the lifetime of the policy), for example the possibility to define a plolicy that applies for 1 month

    after that the files are no longer protected and availaible for every one.

    Help is needed, some links to similar code source examples are welcome

    Thanks in advance




    Wednesday, August 3, 2011 12:38 PM


All replies

  • Sorry don't have links to code source, but what you are trying to custom code should be achievable. So essentially parsing the document, catching the flag that document has expired and then removing the protection using the document owners credentials.

    But why would you want to do that?

    Blog Link: http://blogs.cyquent.ae | Follow us on Twitter: @cyquent | ADRMS Wiki Portal: Technet Wiki

    Wednesday, August 3, 2011 9:33 PM
  • We are trying to do that because our client has some confidential documents (marketing promotions, new products) that will no longer be confidential passed a given time 

    So what do you recommand for acheiving this


    Any documentation on how to parse a document, the flag ... ? 


    Thanks in advance


    Thursday, August 4, 2011 7:09 AM
  • For the documentation, can you refer to http://msdn.microsoft.com/en-us/library/cc542552(VS.85).aspx if not checked already

    Maybe Jim and the other guys can provide some referrals for the code.

    I am just testing if you can achieve the same using FCI and the bulk protection tool.  

    Blog Link: http://blogs.cyquent.ae | Follow us on Twitter: @cyquent | ADRMS Wiki Portal: Technet Wiki

    Thursday, August 4, 2011 10:20 AM
  • One approach I can think of is to have an app-specific data element in the policy that specifies the number of days until which the document will stay protected after protection. So this will be available in all EULs issued for that Policy Template. On the client you will need an AD RMS enabled agent that periodically (maybe at least once daily) goes through the protected files on the client and unprotects the files that are past the "policy days" limit.  Microsoft provides Office File Format protectors. You can hook into those in order to get a peek at the user's embedded  EUL (or you can look at the code for the protectors to figure out what stream inside the compound document has the embedded EULs).  In cases where the EUL is not embedded but written to the DRM store you can enumerate the EULS based on the issuance license embedded inside the document. The issuance license has a timestamp that you will need for comparison with the "policy days" parameter. Either way once you have the EUL you can then use it to decrypt the content and save it unprotected.  

    I am assuming that you are familiar with the AD RMS SDK and C++ since you will need them heavily in the solution described above.

    Thursday, August 11, 2011 4:33 PM