Article ID: 2605692 - View products that this article applies to.
Expand all | Collapse all

On This Page

INTRODUCTION

This article introduces an update for Windows Server 2008 R2 that enables simple delegation in Active Directory Rights Management Services (AD RMS). After you install this update, the rights of an executive can easily be delegated to assistants. This update enables the assistants to have the same level of access permission to Information Rights Management (IRM)-protected content as the executive.

Resolution

An Active Directory schema extension must be applied that introduces the msRMSDelegator and msRMSDelegatorBL attributes to the user class in Active Directory. An SQL script must be run to enable this functionality.
Notes
  • The Active Directory schema extension must be applied to all forests where RMS Licensing occurs.
  • The AD RMS service account must have permission to query this attribute.
  • A third-party application is necessary to add values to this new attribute.
After you install the hotfix, use the following manual steps to enable simple delegation:
  • Extend the Active Directory schema for the msRMSDelegator attribute.
    1. Copy the following text into a text file that is named AddAttribute.ldf. Make sure that you update the "dc" field with the appropriate values if you are not using the -c argument in the following command. 
      dn: cn=ms-RMS-Delegator,cn=Schema,cn=Configuration,dc=x
      changetype: add
      objectClass: attributeSchema
      attributeId: 1.2.840.113556.1.8000.999999.1.2
      ldapDisplayName: msRMSDelegator
      attributeSyntax: 2.5.5.1
      adminDescription: RMS Delegator Attribute
      adminDisplayName: msRMSDelegator
      oMObjectClass:: KwwCh3McAIVK
      oMSyntax: 127
      linkId: 1.2.840.113556.1.2.50
      isMemberOfPartialAttributeSet: TRUE
      systemOnly: FALSE
      dn: cn=User,cn=Schema,cn=Configuration,dc=x
      changetype: modify
      add: mayContain
      mayContain: 1.2.840.113556.1.8000.999999.1.2
      -
      dn: 
      changetype: modify
      add: schemaUpdateNow
      schemaUpdateNow: 1
      -
      
    2. Run the following ldifde.exe command to extend the schema. In this command, the placeholder distinguished_name represents your domain’s distinguished name, such as "dc=contoso, dc=com." (Make sure that you update the "dc" field with the appropriate values if you are not using the -c argument in the command.)
      ldifde -i -f addattribute.ldf -s server:port -b username domain password -j . -c "cn=Configuration,dc=X" "cn=Configuration,[distinguished_name]"
  • Extend Active Directory schema for the msRMSDelegatorBL attribute.
    1. Copy the following text into a text file that is named AddAttributeBacklink.ldf. Make sure that you update the "dc" field with the appropriate values if you are not using the -c argument in the following command.
      dn: cn=ms-RMS-DelegatorBL,cn=Schema,cn=Configuration,dc=x
      changetype: add
      objectClass: attributeSchema
      attributeId: 1.2.840.113556.1.8000.999999.1.3
      ldapDisplayName: msRMSDelegatorBL
      attributeSyntax: 2.5.5.1
      adminDescription: RMS Delegator Attribute Back Link
      adminDisplayName: msRMSDelegatorBL
      oMObjectClass:: KwwCh3McAIVK
      oMSyntax: 127
      linkId: msRMSDelegator
      isMemberOfPartialAttributeSet: TRUE
      systemOnly: FALSE
      dn: cn=User,cn=Schema,cn=Configuration,dc=x
      changetype: modify
      add: mayContain
      mayContain: 1.2.840.113556.1.8000.999999.1.3
      -
      dn: 
      changetype: modify
      add: schemaUpdateNow
      schemaUpdateNow: 1
      -
      
    2. Run the following ldifde.exe command to extend the schema. In this command, the placeholder distinguished_name represents your domain’s distinguished name, such as "dc=contoso, dc=com." (Make sure that you update the "dc" field with the appropriate values if you are not using the -c argument in the command.)
      ldifde -i -f addattributebacklink.ldf -s server:port -b username domain password -j . -c "cn=Configuration,dc=X" "cn=Configuration,[distinguished_name]"
  • Enable simple delegation by updating the AD RMS cluster policy DelegationType.
    1. Copy the following text into a text file that is named EnableDelegation.sql.
      INSERT INTO [DRMS_ClusterPolicies] (PolicyName,PolicyData) VALUES ('DelegationType','1')
      Note Setting the DelegationType to 0 will disable simple delegation.
    2. From a command line that uses the sqlcmd utility, run the following command, and replace SERVERNAME by using the appropriate SQL Server name, and replace DATABASENAME by using the name of the AD RMS configuration database (DRMS_Config_<ClusterName>_<Port>):
      sqlcmd -E -S SERVERNAME -d DATABASENAME -i EnableDelegation.sql
To add values to the msRMSDelegator attribute, follow these steps:
  1. Use an LDAP editor such as ADSI Edit (adsiedit.msc) from the server that is running Active Directory Domain Services.
  2. Expand CN=Users.
  3. Locate the Delegator user (for example, locate Executive), and copy the distinguishedName attribute value.
  4. Locate the Delegate (for example, locate Admin Assistant), and paste the value that you copied in step 3 into the msRMSDelegator attribute value.
Notes
  • msRMSDelegator is a multivalued attribute.
  • msRMSDelegatorBL is a multivalued attribute that is not used directly by AD RMS.
  • The msRMSDelegator and msRMSDelegatorBL attributes are linked attributes. When a value is assigned to one of these attributes, Active Directory Domain Services automatically updates the other attribute to show the reverse relationship. msRMSDelegatorBL can be used for reporting.

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft website:
http://support.microsoft.com/contactus/?ws=support
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

To apply this hotfix, you must be running Windows Server 2008 R2 Service Pack 1 (SP1). For more information about how to obtain a Windows Server 2008 R2 service pack, click the following article number to view the article in the Microsoft Knowledge Base:
976932 Information about Service Pack 1 for Windows 7 and for Windows Server 2008 R2

Registry information

To apply the hotfix, you do not have to change the registry.

Restart requirement

You must restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace a previously released hotfix.

File information

The global version of this hotfix installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.
Windows Server 2008 R2 file information notes
Important Windows 7 hotfixes and Windows Server 2008 R2 hotfixes are included in the same packages. However, hotfixes on the Hotfix Request page are listed under both operating systems. To request the hotfix package that applies to one or both operating systems, select the hotfix that is listed under "Windows 7/Windows Server 2008 R2" on the page. Always refer to the "Applies To" section in articles to determine the actual operating system that each hotfix applies to.
  • The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:
    Collapse this tableExpand this table
    VersionProductMilestoneService branch
    6.1.760 1.21xxxWindows Server 2008 R2SP1LDR
  • The MANIFEST files (.manifest) that are installed for each environment are listed separately in the "Additional file information for Windows Server 2008 R2" section. MANIFEST files and the associated security catalog (.cat) files, are extremely important to maintain the state of the updated components. The security catalog files, for which the attributes are not listed, are signed with a Microsoft digital signature.
For all supported x64-based versions of Windows Server 2008 R2
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Microsoft.rightsmanagementservices.shared.dll6.1.7601.218492,363,39229-Oct-201106:33x86
Microsoft.rightsmanagementservices.pipeline.dll6.1.7601.21849356,35229-Oct-201106:33x86

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More information

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

Additional file information

Additional file information for Windows Server 2008 R2

Additional files for all supported x64-based versions of Windows Server 2008 R2
Collapse this tableExpand this table
File nameAmd64_54901134c230cf8b66d41e3e62185f95_31bf3856ad364e35_6.1.7601.21849_none_ba8d3c6473b7f486.manifest
File versionNot applicable
File size714
Date (UTC)31-Oct-2011
Time (UTC)17:23
PlatformNot applicable
File nameAmd64_da3f7fd20d719357c79326b1ddc54938_31bf3856ad364e35_6.1.7601.21849_none_147b2ee7938755ea.manifest
File versionNot applicable
File size716
Date (UTC)31-Oct-2011
Time (UTC)17:23
PlatformNot applicable
File nameMsil_microsoft.rightsman..mentservices.shared_31bf3856ad364e35_6.1.7601.21849_none_6a98f2d071be585a.manifest
File versionNot applicable
File size2,009
Date (UTC)29-Oct-2011
Time (UTC)07:23
PlatformNot applicable
File nameMsil_microsoft.rightsman..ntservices.pipeline_31bf3856ad364e35_6.1.7601.21849_none_2cadeb544a3976fb.manifest
File versionNot applicable
File size1,628
Date (UTC)29-Oct-2011
Time (UTC)07:23
PlatformNot applicable

Properties

Article ID: 2605692 - Last Review: July 27, 2012 - Revision: 4.0
Applies to
  • Windows Server 2008 R2 Enterprise
  • Windows Server 2008 R2 Datacenter
  • Windows Server 2008 R2 Foundation
  • Windows Server 2008 R2 Standard
Keywords: 
kbautohotfix kbqfe kbhotfixserver kbfix kbexpertiseadvanced kbsurveynew KB2605692

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com