Creating the RMS Service Account

Updated: June 1, 2008

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

During installation, RMS creates a security group called RMS Service Group on the local computer and grants to it the appropriate permissions on all of the resources that are required for RMS to operate.

When you provision RMS on a server, you specify a user account as the RMS service account. The account that you specify is made a member of the RMS Service Group, and is thereby granted the permissions that are associated with this group. During normal operations, RMS runs under the RMS service account for most purposes.

The RMS service account cannot be the same domain account that was used to install RMS.

For security reasons, it is highly recommended that you create a special user account to use as the RMS service account, and that you use this account for no other purpose. In addition, you should not grant this account any additional permissions.

You should create this special user account before you install and provision RMS.

For more information about the permissions that are granted to the RMS Service Group and the accounts under which RMS runs, see “RMS Security Model” in “RMS: Technical Reference” in this documentation collection.