Administer AD RMS by Using the Active Directory Rights Management Services console
Applies To: Windows Server 2008
When you add a cluster to the Active Directory Rights Management Services console, a connection is made between the console and a server in the cluster that serves as the AD RMS cluster connection point. The other servers in the cluster are joined with that server to create the cluster and are managed together.
To administer AD RMS you must have been granted an Administration role on each server in the AD RMS cluster. For day-to-day operations there are three administration groups identified for AD RMS:
AD RMS Enterprise Administrators
Members of this group have access to all features in the AD RMS console. During installation of AD RMS, the installing user account is automatically added to this group
AD RMS Template Administrators
Members of this group can only access rights policy template administration features in the AD RMS console.
AD RMS Auditors
Members of this group can only access the reports feature in the AD RMS console.
Note
There is also the AD RMS Service Group. Members of this group act as the AD RMS service account. During the installation of AD RMS, the user account designated as the service account is automatically added to this group.
In addition to these administrative groups, some features are restricted to users that have additional credentials:
Changing the AD RMS service account.
Performing this task requires that the logged in user account be a member of the AD RMS Enterprise Administrators group and a member of the local administrators group on the server.
Changing the cluster key password
Performing this task requires that the logged on user account be a member of the AD RMS Enterprise Administrators group and a member of the local administrators group on the server.
Registering or changing the service connection point (SCP)
Performing this task requires that the logged in user account be a member of the AD RMS Enterprise Administrators and have permission to change and create object in Active Directory Domain Services (AD DS). For example, a user who is a member of the AD RMS Enterprise Administrators group and the AD DS Enterprise Admins group would have the proper credentials to perform this task.
Membership in the local AD RMS Enterprise Administrators, AD RMS Template Administrators, or AD RMS Auditors, or equivalent, is the minimum required to complete this procedure.
To open the Active Directory Rights Management Services console
Click Start, point to Administrative Tools, and then click Active Directory Rights Management Services.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
The AD RMS cluster to which this computer is assigned to is added automatically. If you want to add additional clusters, click Add Cluster in the results pane.