Configure the AD RMS Super Users Group

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2008 R2 with SP1

The Active Directory Rights Management Services (AD RMS) super user feature is a special role that enables users or groups to have full control over all rights-protected content managed by the cluster. Its members are granted full owner rights in all use licenses that are issued by the AD RMS cluster on which the super users group is configured. This means that members of this group can decrypt any rights-protected content file and remove rights-protection from it.

Note

Although the super users role allows members to be granted full rights to any content natively protected using the AD RMS cluster key, it also allows full control to content protected using a foreign cluster key if that key has been imported through the establishment of a trusted publishing domain (TPD) relationship between the clusters.

By default the super users group is not enabled. When you enable the Super Users setting in the Active Directory Rights Management Services (AD RMS) console, you can specify an Active Directory Domain Services (AD DS) universal group to use as the super users group for AD RMS. The group must occur in the same forest as the AD RMS installation. Any user accounts that are members of the group that you specify for the AD RMS super users role are automatically granted the permissions of the super users role. To give the Exchange 2010 Server the ability to decrypt messages and attachments protected by the AD RMS cluster, you add a user account that represents the Exchange 2010 Server to the AD RMS super users role.

Before you perform this procedure, an Exchange Server 2010 administrator must either create a mail-enabled universal group (distribution list) that contains the Federated Delivery Mailbox user account (which is named FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042) or add that account to an existing mail-enabled universal group that is being used as part of the super users role on the AD RMS cluster. Because the Federated Delivery Mailbox user account is a system mailbox, it is not visible in the Exchange Management Console. To add it to a distribution group, an Exchange administrator must use the Add-DistributionGroupMember cmdlet from the Exchange Server Shell. For more information, see “Add a Federated Delivery Mailbox to the AD RMS Super Users Group” (https://go.microsoft.com/fwlink/?LinkId=201686).

Important

If a super users group is already enabled on the AD RMS cluster, it may take 24 hours for any changes to the membership of the super users role to take effect because the AD RMS cluster caches the membership of the super users role.

Membership in the local AD RMS Enterprise Administrators, or equivalent, is the minimum required to complete this procedure.

To set up the Exchange Server super users group

1. Open the Active Directory Rights Management Services console and expand the AD RMS cluster.

2. In the console tree, expand Security Policies, and then click Super Users.

3. In the Actions pane, click Enable Super Users.

4. In the results pane, click Change Super User Group to open the Super Users properties sheet.

5. In the Super user group box, type the e-mail address of the designated super users group, or click Browse to navigate through the defined users and groups in the directory.

6. Click OK.