RMS Security Groups

Updated: June 1, 2008

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

RMS Setup creates two groups: the RMS Service Group and the Super Users group.

The RMS Service Group is a local security group that is granted sufficient permissions to gain access to all resources that are required for RMS operations. During installation, the administrator specifies a user account to use as the RMS service account. This user account is automatically made a member of the RMS Service Group, and is thereby granted its permissions. RMS runs as this user account during most of its normal operations.

Another important RMS group is the Super Users group. This group has full control over all content, which means that a member of this group can decrypt all rights-protected content files and remove all RMS protections from them. The Super Users group has no members, by default, and does not automatically include RMS administrators or members of the Domain Admins group. Managing the membership of this group is crucial to the security of your rights-protected content. For more information, see "Using the Super Users Group" in "RMS: Operations " in this documentation collection.