Share via

AD RMS and Active Directory Objects

Applies To: Windows Server 2008, Windows Server 2008 R2

Microsoft Active Directory Domain Services (AD DS) is a Windows-based directory service. AD DS stores information about objects on a network and makes this information available to users and network administrators. For example, these objects can include user and computer accounts. AD DS is a requirement for installing and implementing AD RMS.

AD RMS Active Directory Objects

The following table summarizes the required and optional AD DS user and computer objects for an AD RMS implementation.

Active Directory Object Description Remarks

AD RMS Servers Computer Accounts

All servers in the AD RMS Certification/Licensing cluster must be Active Directory domain members
  • The computer on which you are installing AD RMS must be a member server in a domain, or it must be a domain controller. You cannot deploy AD RMS on a server that is part of a workgroup. These accounts and objects are created automatically when the computer is joined to a domain.

AD RMS Admin Account

Create a dedicated user account to administer the AD RMS architecture.
  • For security and scalability reasons, this account does not need to have extra privileges, such as domain administrator. Make it a member of domain users only or local administrator in each AD RMS cluster node.

AD RMS Service Account

Create a dedicated user account to use as the AD RMS service account. For security reasons, it is strongly recommended that you create a special user account used exclusively as the AD RMS service account. .
  • For security and scalability reasons, do not use the local SYSTEM user account.

  • This account does not need to have extra privileges, such as domain administrator or local administrator. Make it a member of domain users only.

  • This account is assigned the required rights during server installation.

SQL Service Account

Create a dedicated user account to use as the SQL service account. For security reasons, it is strongly recommended that a special user account be used exclusively as the SQL service account. .
  • For security and scalability reasons, do not use the local SYSTEM user account.

Superuser Group

This sensitive group is used to grant access to RMS-protected documents, even though members of this group do not have explicit rights to the documents.
  • This feature is disabled by default.

  • It is highly recommended you audit the assigned Super User group usage.

  • It is recommended to use an AD DS restricted group to better manage its membership

Users

AD RMS users must be members of a domain and use their domain account.
  • Either user or inetOrgPerson objects can be used to represent users.

  • The mail attribute must be populated with an RFC 822 compliant e-mail address.

  • The proxyAddress multi-valued attribute can store previous or alternate e-mail addresses.

Contacts

AD RMS can use contacts to work properly in a multi-forest environment.
  • The contact object must be used.

  • The msExchOriginatingForest attribute permits AD RMS to perform group expansion across forests.

Service Connection Point

AD RMS uses a serviceConnectionPoint object in a forest to enable service discovery by clients.
  • The serviceConnectionPoint object is created through the AD RMS management user interface.

  • The serviceConnectionPoint objects do not require schema extensions and are routinely used by other services.

  • Registry settings on clients and servers can be used instead of a serviceConnectionPoint.

  • A member of the Active Directory Enterprise Administrators group is required to create the service connection point.

ADFS Admin Account (Optional)

Create a dedicated user account to administer the AD FS component.
  • For security and scalability reasons, this account does not need to have extra privileges, such as domain administrator. Make it a member of domain users only or local administrator in each AD FS.