Active Directory Rights Management Services (AD RMS) is an information protection technology. One of the areas in which AD RMS becomes useful is that preventing leakage of sensitive information that goes through Exchange Server in the company. You can also use AD RMS individually to protect Office documents or with SharePoint Server to control your sites.
AD RMS protects the information (documents, emails etc) by encrypting them, In order to decrypt an AD RMS protected content, you need licenses. Only the super user group is granted to get licenses. You can set this user group from Security Policies container in AD RMS management tool.
Change of this group takes effect after 24 hours because server caches the membership list of this group locally to avoid too many requests to AD domain controller. If you don’t want to wait for 24 hours, follow the steps below:
- Log in to AD RMS SQL Server
- Open SQL Server Management Studio
- Right click on
PrincipalIdentifierstable inDRMS_DirectoryServicesand choose Edit rows - Change the expiration dates to a past time
PrincipalIdentifierstable - Apply the steps 3 and 4 for the table
GroupIdentifiersin the same databaseGroupIdentifierstable - Restart IIS in AD RMS server
Random fact, but I hope you’re aware that the SuperUsers have access to every file. Everybody in your domain can acquire a license for the documents they are authorised for, superuser can acquire license for any file… Don’t put any users in there 😉
Good catch! However, we need to use superuser group for Exchange – AD RMS integration. It is good idea to put a user that isn’t belong to any real users in this group
Thank you very much, it was be helpful for me 🙂