AD RMS: AD RMS Super Users is enabled

  • Article

Updated: August 31, 2012

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Active Directory Rights Management Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer (https://go.microsoft.com/fwlink/?LinkId=122786).

Operating System

Windows Server 2008 R2

Product/Feature

Active Directory Rights Management Services (AD RMS)

Severity

Warning

Category

Configuration

Issue

The AD RMS Super Users group is enabled.

Impact

Members of the Super Users group can consume all content protected by this server. This could be a potential security risk.

Members of the Super Users group get full owner rights in all use licenses for all AD RMS protected content published by the cluster where the Super Users group is enabled. This means that members of this group can decrypt any rights-protected content file and remove rights-protection from it.

Resolution

Disable the AD RMS Super Users group using the AD RMS Administration tool.

AD RMS provides the use of a Super Users group as a data recovery mechanism. This group can be used in situations such as when a document author leaves the organization, or all access to important documents has expired. By default, the AD RMS Super Users group is disabled and has no group membership. It is recommended to enable both success and failure auditing for Audit account management and Audit directory services access. This allows for tracking of membership changes. It is also recommended that this group only be enabled while it is required for recovery of AD RMS protected content.

To disable the AD RMS Super Users group, complete the following tasks:

To disable the super users group

  1. Open the Active Directory Rights Management Services console and expand the AD RMS cluster.

  2. In the console tree, expand Security Policies, and then click Super Users.

  3. In the Actions pane, click Disable Super Users.

  4. Close the Active Directory Rights Management Services console.

Additional references

For more information, see Set up a Super Users Group (https://go.microsoft.com/fwlink/?LinkID=186343)