R ights P rotected F older Explorer (RPFe) is a Windows based application that allows you to protect files and folders. A Rights Protected Folder is similar to a file folder in that it contains files and folders. However, a Rights Protected Folder controls access to the files that it contains, no matter where the Rights Protected Folder is located. By using Rights Protected Folder Explorer, you can securely store or send files to authorized users and control which users will be able to access those files while they are in the Rights Protected Folder. For more information please visit the RPFe blog post.
Today, FCI enabled administrators to automatically RMS protect sensitive information on file servers. We had several requests for enabling FCI to RMS protect other file types and we partnered with the RPFe team to provide a solution that enable that scenario.
Using FCI and RPFe, IT admins can Rights Management Services(RMS) protect any file on a file server. Once the files are protected, only authorized users will be able access those files even if they are copied to another location. To protect non-Microsoft Office file format, FCI File Management job(FMJ) with custom action and RPFe can be used. We will now explore how to accomplish the task of protecting sensitive files other than Microsoft Office files. RPFe has a command line utility that can protect files. FCI File Management Job custom action can be used to invoke RPFe command line utility under a desired namespace/Share where the admin wants to protect files automatically.
RPFExplorer.exe /Create /Rpf:"G:ShareCustomerInfo.txt.rpf" /TemplateId:{00a956d6-d14c-4a2c-bf86-c1e70b731e7b} /File:"G:Share CustomerInfo.txt "
Original file stays the way it is and there is no change made to it. New RMS protected RPFe container is created which will contain a copy of the original file under the same parent directory.
To automate file protection using RPFe and FCI, Please follow the steps mentioned below. The FMJ custom action calls a PowerShell script for each file that meets the FMJ condition. The PowerShell script calls RPFe command line utility to protect files.
Create a File Management Job with custom action on a desired share with the following configurations
#
# Main Routine Begin
#
$TemplateID = $args[0]
$encryptfile = $args[1]
$newfile = $encryptfile + ".rpf"
# verify that the new file name does not exist and attempt to find a new name
$ver = 0
while (Test-Path $newfile)
{
$ver = $ver + 1
$newfile = $encryptfile + $ver + ".rpf"
if ($ver –gt 100) {
exit -1 # could not find a good name for the rpf file
}
}
# get the owner of the file, if not found use the supplied administrator email address
$owneremail = $args[2]
if ($owneremail -eq "[Source")
{
$owneremail = $args[6]
}
# run the RPF Explorer to encrypt the file
$arguments = "/Create /Rpf:"+ "`""+$newfile +"`"" +" /TemplateId:"+ $TemplateID +" /File:"+"`""+$encryptfile +"`"" +" /Owner:"+$owneremail
$run = start-process –Wait –PassThru –FilePath "C:Microsoft_Rights_Protected_Folder_ExplorerRPFExplorer.exe" –ArgumentList $arguments
if ($run.ExitCode –eq 0)
{
# transfer properties from the old file to the new file
$cm = New-Object -comobject FSRM.FSRMClassificationManager
$props = $cm.EnumFileProperties($encryptfile, 1)
try
{
foreach ($prop in $props)
{
$cm.SetFileProperty($newfile, $prop.Name, $prop.Value)
}
} catch [Exception] {
remove-item $newfile
exit -1
}
# remove-item $encryptfile
# The original file can be removed after successfully creating a protected copy.
# Before adding the above remove-item line, please test in your environment and verify that there is no data loss
}
exit $run.ExitCode
#
# Main routine end
#
RPF files don’t get recognized on other non-windows devices. This is because there is no AD RMS client available on non-windows platforms. Also non-windows users wont be able to consume RPF files.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.