Alternatives to Decommissioning RMS

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

If you are still planning to use RMS in your organization, but you need to stop using certain RMS servers for any reason, consider using the following alternatives to decommissioning.

Set up a trusted publishing domain

All RMS-protected information is encrypted by the private key of the RMS root cluster. A trusted publishing domain enables you to import the private key of one RMS cluster onto another RMS cluster. This gives an RMS cluster the ability to issue use licenses against publishing licenses that were created by a different RMS root cluster. Once the key has been exported, the server can be unprovisioned and uninstalled.

Set up a super users group

If RMS-protected content cannot be opened because no users have rights to the content, you can grant full control over all rights-protected content published by that cluster to the super users group. Members of the super users group are granted full owner rights in all use licenses that are issued by the RMS cluster on which the super users group is configured. This means that members of this group can decrypt all rights-protected content files and remove protection from them. A member of this group can, for example, remove protection from files that have been published by a terminated employee so that a new owner can publish and manage the files.

The super users group does not automatically include any members, even administrators. This group must exist within Active Directory as a distribution group with an e-mail address attribute of the same value as the group name, in the format "" The group name must match the e-mail address attribute exactly and is case-sensitive. As a best security practice, the super users group should not contain any permanent members. When rights-protected content needs to be decrypted, add a user to the super users group, decrypt the rights-protected content, and then remove this user from the group. For additional security, the super users group should be an Active Directory restricted group.