Changing the AD RMS Service Account

Updated: October 22, 2009

Applies To: Windows Server 2008 R2, Windows Server 2008 R2 with SP1

During installation, Active Directory Rights Management Services (AD RMS) creates the AD RMS Service Group on the local computer and grants it appropriate permissions on all of the resources that are required for AD RMS to operate. When you provision AD RMS on a server, you must define a domain account for use as the AD RMS service account.

That account is made a member of the AD RMS Service Group, and it is granted the permissions that are associated with this group. During routine operations, AD RMS runs under the AD RMS service account.

You can change the AD RMS service account at any time. When you do so, the previously specified account is automatically removed from the AD RMS Service Group, and the new account is made a member of it. If there is more than one server in the AD RMS cluster where you are changing the AD RMS service account, you must change the service account on all servers in the cluster.

Membership in the AD RMS Enterprise Administrators and the local Administrators group, or equivalent, is the minimum required to complete this procedure. Also, this procedure can only be performed on the local computer; it cannot be performed remotely.

To change the AD RMS Service Account

1. At the Windows PowerShell command prompt, type:

   Set-RmsSvcAccount -Path <drive>:\

   where <drive> is the name of the Windows PowerShell drive.

2. In the dialog box that appears, type the user name (in <domain>\<user> format) and password of the new service account.

To view the AD RMS Service Account

• At the Windows PowerShell command prompt, type:

  Get-RmsSvcAccount -Path <drive>:\

  where <drive> is the name of the Windows PowerShell drive.

See Also

Concepts

Using Windows PowerShell to Administer AD RMS
Understanding the AD RMS Administration Provider Namespace
AD RMS Administration Cmdlets
Configuring Accounts

Other Resources

Understanding AD RMS User Accounts