Active Directory Rights Management Services (AD RMS) has three different administrative roles to help you better delegate control of your AD RMS environment.  These roles are created the first time you install AD RMS in your organization. 

The AD RMS Enterprise Administrators group has full access to the features in the AD RMS console.  The user account that installed AD RMS group is automatically added to this group when you install AD RMS.  You should limit membership in this group to users that require access to all AD RMS options. Members of the Enterprise Administrators group can perform virtually all AD RMS tasks, with the exception of the following, which require additional credentials:

  • Changing the AD RMS service account, which requires Local Administrator credentials on the servers and SysAdmin permissions on the SQL Server.
  • Changing the cluster key password, which requires Local Administrator credentials on the servers.
  • Registering or changing the service connection point (SCP), which requires Enterprise Administrator permission.

The AD RMS Templates Administrators group can create and manage rights policy templates.  This group is created during AD RMS installation, but no users are added to it by default.  Remember that permission to create and manage templates can, by extension, lead to rights over any piece of protected content. This group should therefore only include users that you have a large amount of confidence in.

Members of the AD RMS Auditors group can only access the reports feature in the AD RMS console.  Members of this group can support users having difficulties obtaining licenses by looking at the reports that the AD RMS console can generate.  They can also measure the performance of a server and check server health. This group is also created during AD RMS installation, but no users are added to it by default.

We recommend that you create Active Directory universal security groups for each of these administrative roles and add the security groups to their respective local security groups. This allows you to scale your AD RMS deployment across several servers. Using universal groups helps you with group expansion across forests.