Single/Shared RMS Infrastructure with Account Provisioning

Applies To: Windows Server 2008, Windows Server 2008 R2

The easiest way (conceptually) to enable users to share protected documents with users in an external organization is to host the user accounts for the external users inside the organization which has the files to be shared. This can be done by adding accounts for the external users to AD domains in the hosting organization’s internal AD forest. (Typically, as external users are subject to unique technical and business policies and may not be assigned the same level of trust as internal users, the external user’s accounts are created in a separate forest. This forest is normally managed in a completely separate fashion from other forests and is used for AD RMS – in addition to other capabilities, such as granting access rights to extranet sites.) If external users are included in the same forest as the users creating protected content, there are no additional requirements for sharing the content. The external users with accounts in the originating organization’s internal forest can access and create protected content, assuming the hosting organization enables remote access and the external users have installed the AD RMS client and necessary IRM-enabled applications (an option is to provide virtual machines for the external users with the necessary software installed).

If external users are added to a separate forest within the host organization (or if the external users remain in an external forest) an AD RMS trust must be established between the forests. This trust is different from an Active Directory domain or forest trust (which you can implement separately to enable access to resources in another forest and to enable group expansion).

Another alternative for external users is to utilize the Rights Management Add-On (RMA) for Internet Explorer to access protected content . This allows you to forego installing IRM- enabled applications on external user’s client computers. However, in this scenario, the RMS client must be installed, and external users cannot create protected content. They may only consume it.

The main drawback to an organization hosting external users is the operational cost, as account provisioning, account de-provisioning, password management and help desk services can demand significant resources. Also, it is often cumbersome for users to manage separate identities, with a separate account name and password for each organization. Thus, this type of solution is recommended only when the number of external users is small, or other solutions cannot be utilized.