Understanding the AD RMS Administration Provider Namespace

Updated: October 22, 2009

Applies To: Windows Server 2008 R2, Windows Server 2008 R2 with SP1

The Active Directory Rights Management Services (AD RMS) Windows PowerShell administration provider exposes a namespace that represents the various configuration settings that you can make to a server running AD RMS. You configure these settings by using Windows PowerShell cmdlets to traverse this namespace and then create or delete items in the namespace, or set properties on those items. The namespace closely parallels the hierarchy of settings that are made available in the AD RMS graphical user interface (GUI) administration tools to make it easier to associate the items in the administration namespace with the corresponding settings exposed by the GUI tools.

This topic lists the containers in the administration namespace, explains what configuration settings each container represents, and lists the subcontainers or items that it can hold.

• <drive>:\
  The root container of the administration namespace represents the properties of the cluster itself. You can work with these properties by using the Get-ItemProperty and Set-ItemProperty cmdlets to view and change the following properties:

  • IsDecommissioned

  • AdministrativeContact

  • IsLoggingEnabled

  • IntranetLicensingUrl

  • ExtranetCertificationUrl

  • ExtranetLicensingUrl

  • SvrLicCertFriendlyName

  • ScpUrl

  • IsProxyRequired

  You can also use the Get-ItemProperty cmdlet to view these read-only properties:

  • ClusterName

  • ClusterType

  • ClusterServerList

  • LoggingDatabaseServer

  • LoggingDatabaseName

  • LoggingServiceName

  • LoggingQueueName

  • ConfigurationDatabaseServer

  • ConfigurationDatabaseName

  • IntranetCertificationUrl

  • SvrLicCertHierarchy

  • RegisteredServiceDomain

• <drive>:\ExclusionPolicy
  This container holds containers that represent the application, lockbox, and user exclusion policies of the cluster. For more information about working with exclusion policies, see Enabling Exclusion Policies.

• <drive>:\ExclusionPolicy\Application
  This container holds items that represent excluded application versions. Use Set-ItemProperty to change the IsEnabled property of the container to enable or disable application exclusion. To control which application versions are excluded, use the New-Item and Remove-Item cmdlets. For more information, see Excluding Applications.

• <drive>:\ExclusionPolicy\Lockbox
  This container holds items that represent excluded application lockboxes. Use Set-ItemProperty to change the IsEnabled property of the container to enable or disable lockbox exclusion. To change the minimum lockbox version, set the LockBoxMinimumVersionproperty . For more information, see Excluding Lockboxes.

• <drive>:\ExclusionPolicy\User
  This container holds items that represent excluded users. Use Set-ItemProperty to change the IsEnabled property of the container to enable or disable user exclusion. To control which users are excluded, use the New-Item and Remove-Item cmdlets. For more information, see Excluding Users.

• <drive>:\IssuancePolicy
  This container represents the rights account certificate issuance policy. Use the Set-ItemProperty cmdlet to set the StandardCertValidityPeriodInDays and TemporaryCertValidityPeriodInMinutes properties of the container to modify this policy. For more information, see Specifying the Rights Account Certificate Validity Duration.

• <drive>:\Report
  This container gives you access to a set of cmdlets that query the cluster databases for different kinds of information. For more information, see Working with Reports.

• <drive>:\RightsPolicyTemplate
  This container holds subcontainers that represent rights policy templates. Use the Set-ItemProperty cmdlet to set the PublishUNCFilePath property of this container to specify where templates are published. To create a rights policy template, use the New-Item cmdlet, use the Copy-Item cmdlet to copy a template, and use the Remove-Item cmdlet to remove a template. For more information, see Configuring Rights Policy Templates and Creating a New Rights Policy Template.

• <drive>:\RightsPolicyTemplate\<templateID>
  This container represents the rights policy template identified by <templateID> and holds subcontainers that represent settings of the template. Use the Set-ItemProperty cmdlet to change the IsDistributed property of this container to distribute or archive the template. If the template is archived, you can also set the IsReadyOnly property. For more information, see Configuring Rights Policy Templates and Archiving a Rights Policy Template.

• <drive>:\RightsPolicyTemplate\<templateID>\ExpirationPolicy
  This container represents the expiration policy for the rights policy template identified by <templateID>. Use the Set-ItemProperty cmdlet to set the ContentExpiredOnDateInDaysOrNever and UseLicenseExpiredInDays properties of this container. For more information, see Editing a Rights Policy Template.

• <drive>:\ RightsPolicyTemplate\<templateID>\ExtendedPolicy
  This container represents the extended policy settings of the rights policy template identified by <templateID> and contains items that represent application-specific policy name-value pairs. Use the Set-ItemProperty cmdlet to set the IsViewInTrustedBrowserEnabled and IsOnetimeLicenseEnabled properties of the container, and use the New-Item cmdlet to add a name-value pair. For more information, see Editing a Rights Policy Template.

• <drive>:\ RightsPolicyTemplate\<templateID>\IdentificationInfo
  This container holds items that represent the locale-specific information of the rights policy template identified by <templateID>. Use the New-Item cmdlet to add locale-specific identification information to the template. For more information, see Editing a Rights Policy Template.

• <drive>:\ RightsPolicyTemplate\<templateID>\RevocationPolicy
  This container represents the revocation policy of the rights policy template identified by <templateID>. Use the Set-ItemProperty cmdlet to set the Location, RefreshPerDays, and PublicKeyFilePath properties of this container. For more information, see Editing a Rights Policy Template.

• <drive>:\ RightsPolicyTemplate\<templateID>\UserRight
  This container holds items representing users and the rights granted to them. Use the Set-ItemProperty cmdlet to set the RightsRequestUrl and CustomRightDefinitionList properties of the container. Use the New-Item cmdlet to add a user and assign rights to the user. For more information, see Editing a Rights Policy Template.

• <drive>:\SecurityPolicy
  This container holds subcontainers that represent the super-user and cluster key–password settings of the cluster.

• <drive>:\SecurityPolicy\SuperUser
  This container represents the super-user security settings of the cluster. Use the Set-ItemProperty cmdlet to enable or disable the IsEnabled and the SuperUserGroup properties of the container. For more information, see Setting up a Super Users Group.

• <drive>:\SecurityPolicy\ClusterKeyPassword
  This container represents the cluster key–password settings of the cluster. Use the Set-ItemProperty cmdlet to change the cluster key password. For more information, see Resetting the AD RMS Cluster Key Password.

• <drive>:\TrustPolicy
  This container holds items that represent the cluster’s federated identity support and collections of trusted domains. For more information, see Establishing Trust Policies.

• <drive>:\TrustPolicy\FederatedIdentitySupport
  This container represents the federated identity support policy of the cluster and is available only when federated identity support is installed. Use the Set-ItemProperty cmdlet to set the IsEnabled, CertificateValidityPeriod, CertificateServiceUrl, and IsProxyEmailAddressAllowed properties of the container. For more information, see Configuring Federated Identity Support Settings.

• <drive>:\TrustPolicy\TrustedPublishingDomain
  This container holds items that represent the publishing domains trusted by the cluster. Use the Import-RmsTPD cmdlet to add a trusted publishing domain to this container and the Remove-Item cmdlet to remove a trusted publishing domain. You can also use the Export-RmsTPD cmdlet to export a trusted publishing domain to a file. For more information, see Adding a Trusted Publishing Domain and Exporting a Trusted Publishing Domain.

• <drive>:\TrustPolicy\TrustedUserDomain
  This container holds items that represent the user domains trusted by the cluster. Use the Import-RmsTUD cmdlet to add a trusted useer domain to this container and the Remove-Item cmdlet to remove a trusted user domain. You can also use the Export-RmsTUD cmdlet to export a trusted user domain to a file. For more information, see Adding a Trusted User Domain, Using Windows Live ID to Establish RACs for Users, and Exporting a Trusted User Domain.

• <drive>:\TrustPolicy\TrustedUserDomain\<domainID>
  This container represents a user domain trusted by the cluster. These user domains can include the internal trusted user domain (TUD), an external TUD that was previously imported, or Windows Live ID. Use the Set-ItemProperty cmdlet to set the IsLicensingToSIDEnabled property of an internal or external TUD, the TrustedEmailDomain property of an external TUD or the Windows Live ID domain, or the IsADFederatedUserTrused property of an external TUD.

See Also

Concepts

Using Windows PowerShell to Administer AD RMS
AD RMS Administration Cmdlets
Administering Certificates
Enabling Exclusion Policies
Establishing Trust Policies
Configuring Accounts
Configuring Rights Policy Templates
Working with Reports