How AD RMS Works

How AD RMS Works

Active Directory Rights Management Services (AD RMS) is a server role available in the Microsoft Windows Server 2008 and Microsoft Windows Server 2008 R2 operating systems. As an Active Directory service, it takes advantage of the identity and authentication provided by Active Directory to provide user-level access control to information.

The term "Rights Management Services" encompasses all of the server and client technologies that are required to support information rights management (IRM) in an organization. When you deploy AD RMS to provide IRM in your organization, one or more AD RMS servers,  together comprising an AD RMS root cluster, certify trusted entities that are in the AD RMS system. In addition, you can deploy AD RMS licensing-only servers in the organization to issue publishing and use licenses that control how rights-protected content is consumed by the AD RMS client applications. AD RMS client technologies, including the AD RMS client, lockbox, and AD RMS–enabled applications, run on client computers and allow users to create, publish, and consume rights-protected content.

The different AD RMS client and server technologies work together to support the following functions:

  • Creation of rights-protected content. Users who are trusted entities in an AD RMS system can easily create and manage protected files by using applications and tools that incorporate the features of AD RMS technology. In addition, AD RMS–enabled applications can draw upon centrally defined and officially authorized rights policy templates to help users easily apply a predefined set of corporate usage policies. AD RMS–enabled applications are developed by Microsoft and non-Microsoft developers.
  • Licensing and distribution of rights-protected content. AD RMS issues certificates that identify the trusted entities that can publish and consume rights-protected content. Users who are trusted entities in an AD RMS system can assign usage rights and conditions to content that they author and want to protect. These usage policies specify who can use the content and what they can do with it. Typically by applying rights policy templates to their content, authors can request publishing licenses which bind the usage policies to the specified content. They can then distribute the content, for example, by sending it to other users who are in their organization, posting it to internal servers for company use, or distributing it to trusted external partners.

    This process is largely transparent to users. When a content author applies a rights policy template to a message or a document, the application that the author is using to publish the content creates a publishing license request according to the usage policies in the template. AD RMS validates the trusted entities in the publishing licensing request and then issues a license that contains the specified usage rights and conditions for the content. The AD RMS–enabled application then generates the symmetric keys and uses them to encrypt the content. After the content is protected by this mechanism, only the users who are specified in the publishing licenses can decrypt and consume that content. Those users must also be trusted entities in the RMS system.

  • Acquiring licenses to decrypt rights-protected information and enforcing usage policies. Users who are trusted entities can consume rights-protected content by using trusted clients. These clients are AD RMS–enabled computers and applications that allow users to view and work with rights-protected content, to preserve that content's integrity, and to enforce usage policies. When users attempt to gain access to rights-protected content, requests are sent to an AD RMS server to issue use licenses for the user to consume that content.

    Again, in a process that is transparent to users, the AD RMS system issues unique use licenses that the AD RMS client can read and interpret. The AD RMS client inspects the certificate chain of the content. The AD RMS client then reviews the content revocation list if required to make sure that all of the criteria that establish the validity of the content are in place. Following this, the AD RMS client enforces the usage rights and conditions specified for the user as specified in the publishing license. Provided that all of the usage rights and conditions are met, the AD RMS–enabled application uses the content key issued by the AD RMS system to decrypt the content. The usage rights and conditions are persistent and can be enforced wherever that the content goes.

The AD RMS platform comprises the following basic elements that enable rights management:

  • Trusted entity to issue a root certificate. This can be an external certificate authority (CA) or an internal CA if it is trusted by all clients that connect to the AD RMS system.
  • AD RMS cluster (servers). AD RMS is a server role for Windows Server 2008 and Windows Server 2008 R2 that certifies trusted entities, licenses rights-protected information, enrolls servers and users, and administers functions of rights management. You can extend RMS to support additional features by using the Active Directory Rights Management Services Software Development Kit (SDK).
  • AD RMS client. To install and use AD RMS–enabled applications, users who are in an AD RMS environment must have a client computer that has  Rights Management Services client software installed and activated. AD RMS client software is built into the Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 operating systems. Users of computers running Windows XP must download the Windows RMS with SP2 client from
  • AD RMS–enabled applications. These applications allow users to specify usage rights for the content that they create and distribute. By using the AD RMS SDK, application developers can extend their existing applications so that they are AD RMS-enabled. One example of an AD RMS-enabled application that has been extended to support AD RMS is Microsoft Internet Explorer, which can be enabled to support AD RMS by installing an add-on. To download the Rights Management Add-on for Internet Explorer, see You can use this add-on in Internet Explorer starting with version 6 SP1 to enable viewing rights-protected content.
Leave a Comment
  • Please add 3 and 2 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
  • Jim Groves (MSFT) edited Revision 3. Comment: Fixed version of IE supported by add-in.

Page 1 of 1 (1 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Page 1 of 1 (4 items)