Limitations of This Deployment Design

Published: December 23, 2009

Applies To: Windows Server 2008, Windows Server 2008 R2

The design for AD RMS deployment that is used in this document does have some feature limitations. These represent the supported features that come directly from the product group. The following section lists the supported AD RMS features and also the features which are not supported. This list may not include all of the features available in AD RMS. If the feature is not listed here as supported then it should be considered to be unsupported for this deployment scenario.

The following is a list of supported features:

  • Lockbox Certification - Organizations must identify the users who are trusted entities within their AD RMS installation. To allow for this, AD RMS issues rights account certificates that associate user accounts with a key pair that is protected specifically to the user's computer. These certificates let users publish and consume rights-protected content. Each certificate contains a public key that is used to license information that is intended for that user's consumption.

  • Use licenses that enforce usage rights and conditions - A user who receives rights-protected content must request and receive a use license (UL) from AD RMS to be able to view the content. A UL is granted to an individual and lists the usage rights and conditions when that person consumes that content.

  • Publishing licenses that define usage rights and conditions – The ability to assign content-specific usage rights and conditions. These usage rights and conditions are defined within publishing licenses that specify the authorized users who can consume the content and how that content can be used and distributed.

  • Group Expansion – This has limited support in the resource forest only.

  • Rights Policy Templates - Administrators can create and distribute official rights policy templates that define the usage rights and conditions for a predefined set of users. These templates provide a manageable way for organizations to establish document classification hierarchies for their content.

  • Super Users Group - The Active Directory Rights Management Services (AD RMS) super users group is a special group that has full control over all rights-protected content managed by the cluster. Its members are granted full owner rights in all use licenses that are issued by the AD RMS cluster on which the super users group is configured. This means that members of this group can decrypt any rights-protected content file and remove rights-protection from it. The super users group is outside the scope of this document. For additional information about the super users group see Setting up a Super Users Group (

The following is a list of features that are not supported:

  • AD RMS Prelicensing Agent - You can use the Active Directory Rights Management Services (AD RMS) Prelicensing agent to certify the Microsoft Office Outlook recipient's authenticity. This would allow the recipient to open messages without receiving a credential prompt on every attempt. This feature is not supported in this design.

The following is a list of features that have not been extensively tested:


The features listed below have not been thoroughly tested to work in this design. If you choose to use them in a production environment, there is no guarantee that they will be supported.

  • Group expansion across forests

  • Query based groups

  • Trusted Publishing Domains

  • Trusted User Domains

  • ADFS

  • Exclusion/Revocation

  • ServerBox

  • MobileBox

  • Decommission