Setting up a Super Users Group

  • Article

Updated: October 22, 2009

Applies To: Windows Server 2008 R2, Windows Server 2008 R2 with SP1

The Active Directory Rights Management Services (AD RMS) super users group is a special group that has full control over all rights-protected content managed by the cluster. Its members are granted full owner rights in all use licenses that are issued by the AD RMS cluster on which the super users group is configured. This means that members of this group can decrypt any rights-protected content file and remove rights-protection from it.

The super users group is not enabled and is not assigned a group by default. When you set the IsEnabled property of the \SecurityPolicy\SuperUser container, you must also specify an Active Directory Domain Services (AD DS) universal group to use as the super users group for AD RMS. The group must exist in the same forest as the AD RMS installation. Any user accounts that are members of the group that you specify as the AD RMS super users group are automatically granted the permissions of the super users group.

Warning

Enabling the super users group should be done only on an as-needed basis. During normal operations, the super users group should be disabled, unless it is used to provide a trusted application with the ability to decrypt rights-protected content, such as to enable the application to scan the content for malware. It should be enabled only when necessary.

Membership in the local AD RMS Enterprise Administrators, or equivalent, is the minimum required to complete this procedure.

To set up a super users group

  • At the Windows PowerShell command prompt, type:

    Set-ItemProperty -Path <drive>:\SecurityPolicy\SuperUser -Name IsEnabled -Value $true

    Set-ItemProperty -Path<drive>:\SecurityPolicy\SuperUser -Name SuperUserGroup -Value <group_e-mail>

    where <drive> is the name of the Windows PowerShell drive, and <group_e-mail> is the e-mail address of the universal group being designated as the AD RMS super users group.

For example, for a Windows PowerShell drive named Z, to designate a group named SecurityAdmins at fabrikam.com as the AD RMS super user group, at the Windows PowerShell command prompt, type:

Set-ItemProperty -Path Z:\SecurityPolicy\SuperUser -Name IsEnabled -Value $true

Set-ItemProperty -Path Z:\SecurityPolicy\SuperUser -Name SuperUserGroup -Value securityadmins@fabrikam.com

The super users group should remain enabled only when its use is required and should be disabled as soon as possible.

To disable the super users group

  • At the Windows PowerShell command prompt, type:

    Set-ItemProperty -Path <drive>:\SecurityPolicy\SuperUser -Name IsEnabled -Value $false

    where <drive> is the name of the Windows PowerShell drive.

See Also

Concepts

Using Windows PowerShell to Administer AD RMS
Understanding the AD RMS Administration Provider Namespace
Configuring Accounts

Other Resources

Understanding AD RMS User Accounts
Understanding AD RMS User Accounts