Using the Super Users Group

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

During provisioning, RMS creates a special super users group that has full control over all rights-protected content. Members of the super users group are granted full owner rights in all use licenses that are issued by the RMS cluster on which the super users group is configured. This means that members of this group can decrypt any and all protected content files and remove protection from them. A member of this group can, for example, remove protection from files that have been published by a terminated employee so that a new owner can publish and manage the files.

The super users group has no members by default, even administrators. When you use the administration Web site, you can specify an Active Directory security group to use as the super users group for RMS. You can either use an existing Active Directory group or create a new group for this purpose. The group must exist in the same Active Directory forest as the RMS installation. Any user accounts that are members of the group that you specify as the RMS super users group are automatically granted the permissions of the super users group. For a higher level of security, an Active Directory restricted group can be used.


If RMS is deployed across forests, you must use an Active Directory Universal group so the group membership is replicated all of global catalog servers.

For information about how to specify a super users group for RMS, see "To Set up a Super Users Group" later in this subject.


Before you can designate a group as the super users group for RMS, the group must exist in the same Active Directory forest as the RMS installation. The properties of that group must include an e-mail address that is the same as the account name. The e-mail address should be in the group_name@domain_name format.