Required Accounts and Permissions for RMS
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
The following table specifies the user rights and permissions that are required to deploy and administer RMS.
| Activity | User Account and Permissions |
|---|---|
Installing RMS |
Log on by using a domain account that is a member of the local Administrators group. |
Provisioning RMS |
Log on by using a domain account that is a member of the local Administrators group. In addition, this account must have a SQL login with the System Administrator role granted on the SQL Server database so that RMS can set up the databases. During provisioning, you must specify the RMS service account, which you must have already created. The account should be a standard domain user account with no additional permissions. This account is made a member of the RMS Service Group and is the account that RMS will run under during routine operations. For single-server deployments where the database is on the same computer as the root cluster, you can specify the Local System account. However, for security reasons, it is recommended that you always specify the RMS service account rather than the Local System account. When the database is on a separate server, you must specify a domain account for the RMS service account. |
Administering RMS |
Log on by using a domain account that is a member of the local Administrators group. You can customize security settings to manage access to the administration Web pages. |
Note
The account used to log onto the RMS server does not require membership in any additional domain group, such as the Domain Admins group. However, some specific administrative tasks, such as registering the service connection point and modifying the security policies, do require an account with additional privileges.