AD RMS and Active Directory Objects

AD RMS Servers Computer Accounts

All servers in the AD RMS Certification/Licensing cluster must be Active Directory domain members

• The computer on which you are installing AD RMS must be a member server in a domain, or it must be a domain controller. You cannot deploy AD RMS on a server that is part of a workgroup. These accounts and objects are created automatically when the computer is joined to a domain.
  
  

AD RMS Admin Account

Create a dedicated user account to administer the AD RMS architecture.

• For security and scalability reasons, this account does not need to have extra privileges, such as domain administrator. Make it a member of domain users only or local administrator in each AD RMS cluster node.
  
  

AD RMS Service Account

Create a dedicated user account to use as the AD RMS service account. For security reasons, it is strongly recommended that you create a special user account used exclusively as the AD RMS service account. .

• For security and scalability reasons, do not use the local SYSTEM user account.
  
  

• This account does not need to have extra privileges, such as domain administrator or local administrator. Make it a member of domain users only.
  
  

• This account is assigned the required rights during server installation.
  
  

SQL Service Account

Create a dedicated user account to use as the SQL service account. For security reasons, it is strongly recommended that a special user account be used exclusively as the SQL service account. .

• For security and scalability reasons, do not use the local SYSTEM user account.
  
  

• Please check SQL Server documentation for minimum privilege permissions required for SQL Server. See: AD RMS SQL Server Requirements (http://go.microsoft.com/fwlink/?LinkId=153468).
  
  

Superuser Group

This sensitive group is used to grant access to RMS-protected documents, even though members of this group do not have explicit rights to the documents.

• This feature is disabled by default.
  
  

• It is highly recommended you audit the assigned Super User group usage.
  
  

• It is recommended to use an AD DS restricted group to better manage its membership
  
  

Users

AD RMS users must be members of a domain and use their domain account.

• Either user or inetOrgPerson objects can be used to represent users.
  
  

• The mail attribute must be populated with an RFC 822 compliant e-mail address.
  
  

• The proxyAddress multi-valued attribute can store previous or alternate e-mail addresses.
  
  

Contacts

AD RMS can use contacts to work properly in a multi-forest environment.

• The contact object must be used.
  
  

• The msExchOriginatingForest attribute permits AD RMS to perform group expansion across forests.
  
  

Service Connection Point

AD RMS uses a serviceConnectionPoint object in a forest to enable service discovery by clients.

• The serviceConnectionPoint object is created through the AD RMS management user interface.
  
  

• The serviceConnectionPoint objects do not require schema extensions and are routinely used by other services.
  
  

• Registry settings on clients and servers can be used instead of a serviceConnectionPoint.
  
  

• A member of the Active Directory Enterprise Administrators group is required to create the service connection point.
  
  

ADFS Admin Account (Optional)

Create a dedicated user account to administer the AD FS component.

• For security and scalability reasons, this account does not need to have extra privileges, such as domain administrator. Make it a member of domain users only or local administrator in each AD FS.