Active Directory Rights Management Services (AD RMS) Data leakage is the unauthorized transmission of information – either to people within the organization or people outside the organization – who should not be able to access that information. One of the major advantages of using AD RMS over other security features such as NTFS permission is that AD RMS permission travels along with the documents.

AD RMS integrates with existing Microsoft products and OS including Windows Server, Exchange Server, SharePoint Server, Microsoft Office Suite and Microsoft Azure.

AD RMS can protect data in transit and at rest. For example, AD RMS can protect documents that are sent as email messages by ensuring that a message cannot be opened even if it is accidentally addressed to the wrong recipient.

When to use AD RMS?

For example, you Finance Manager copies a spreadsheet file containing the compensation packages of an organization’s executives from a protected folder on a file server to the Manager’s personal USB drive. During the commute home, the Manager leaves the USB drive on the train, where someone with no connection to the organization finds it. Without AD RMS, whoever finds the USB drive can open the file. With AD RMS, it is possible to ensure that the file cannot be opened by unauthorized users.

AD RMS uses rights policy templates to enforce a consistent set of policies to protect content. When configuring AD RMS, you need to develop strategies to ensure that users can still access protected content from a computer that is not connected to the AD RMS cluster.

You also need to develop strategies for excluding some users from being able to access AD RMS – protected content, and strategies to ensure that protected content can be recovered in the event that it has expired, the template has been deleted, or if the author of the content is no longer available.

Rights policy templates allow you to configure standard methods of implementing AD RMS policies across the organization.

For example, you can configure standard templates that grant view-only rights, block the ability to edit, save, and print, or if used with Exchange Server, block the ability to forward or reply to messages.

AD RMS templates support the following rights:

Full Control: Gives a user full control over an AD RMS – protected document.

View: Gives a user the ability to view an AD RMS – protected document.

Edit: Allows a user to modify an AD RMS – protected document.

Save: Allows a user to use the Save function with an AD RMS – protected document.

Export: (Save as). Allows a user to use the Save As function with an AD RMS – protected document.

Print: Allows an AD RMS – the protected document to be printed.

Forward: Used with Exchange Server. Allows the recipient of an AD RMS – protected message to forward that message.

Reply: Used with Exchange Server. Allows the recipient of an AD RMS – protected message to reply to that message.

Reply All: Used with Exchange Server. Allows the recipient of an AD RMS–protected message to use the Reply All function to reply to that message.

Extract: Allows the user to copy data from the file. If this right is not granted, the user cannot copy data from the file.

Allow Macros: Allows the user to utilize macros.

View Rights: Allows the user to view assigned rights.

Edit Rights: Allows the user to modify the assigned rights.ADRMSFor this Demo, as usual, I still am using my existing small Infrastructure which is and

1 – Let’s start by Creating AD RMS Service Account on Domain Server (Service account – Microsoft recommends using a standard domain user account with additional permissions. You can use a managed service account as the AD RMS service account).


2 – On the DC-Server server, open Active Directory User & Computers and Create New OU call Service Accounts.23

3 – Next, Create New User call ADRMSVC with the complete password.4567

4 – Next, Create New Group in Users container call ADRMS_SuperUsers and Create another Group call Executives.891011

5 – Next, Add few users to Executives group, for this Demo I choose My Four of my HR users to join the Executive group.1213141516

6 – Next, still on the DC-Server, Open the DNS Manager and Add New Host call ADRMS with SUB-SERVER-01 IP Address, On the DNS Manager, right-click and click New Host (A or AAAA).17.png

7 – In the New Host box, enter the following information, and then click Add Host:

  • Name: ADRMS
  • IP address:

Click OK, and then click Done.181920Orait, we now successfully Add new ADRMS Users & Groups to the AD and also configure DNS so that New ADRMS resource record created.

8 – Next, log in to to start to Install and configure the AD RMS server role.

Open the Server Manager, click Manage, and then click Add Roles and Features, in the Add Roles and Features Wizard, click Next 3 times.


9 – Then click Next 4 times.


10 – Next, click Install to proceed.


11 – Click Close when installation successful.1516

12 – Next, on the All Servers Task Details page, click Perform Additional Configuration.


13 – In the AD RMS Configuration: box, click Next.


14 – On the AD RMS Cluster box, click Create a New AD RMS root cluster, and then click Next.20

15 – On the Configuration Database box, click Use Windows Internal Database on this server, and then click Next to proceed.


16 – On the Service Account page, click Specify, then in the Windows Security box enter ADRMSVC as a Username and enter the password, then click OK and Next.


17 – On the Cryptographic Mode box, click Cryptographic Mode 2, and then click Next.


18 – On the Cluster Key Storage box, click Use AD RMS centrally managed key storage, and then click Next.


19 – On the Cluster Key Password boxenter the password and then click Next.


20 – On the Cluster Web Site box, verify that Default Web Site is selected, and then click Next.


21 – On the Cluster Address box, provide the following information, and then click Next to proceed :

  • Connection Type: Use an unencrypted connection (http://)
  • Fully Qualified Domain Name:
  • Port: 80


22 – On the Licensor Certificate box, type NewHelpTech ADRMS, and then click Next.


23 – On the SCP Registration box, click Register the SCP now, and then click Next to proceed.


24 – Click Install, and then click Close when installation successful.

32Screenshot (25)

25 – Next, open the Internet Information Services (IIS), Manager.

Screenshot (26)

26 – In Internet Information Services (IIS) Manager, expand Sites\Default Web Site and click_wmcs, then under /_wmcs Home, double-click Authentication.

Screenshot (27)

27 – Then right-click Anonymous Authentication and click Enable.

Screenshot (28).png

28 – In the Connections pane, expand _wmcs and click licensing and double-click Authentication.

Screenshot (29)

29 – Right-click Anonymous Authentication and click Enable, then close IIS Manager.

Screenshot (30)

“You must sign out before you can manage AD RMS”

Screenshot (31)

Next, let’s configure AD RMS super users group for SUB_SERVER-01.

30 – In Server Manager, click Tools and then click Active Directory Rights Management Services.

Screenshot (32)

31 – In the Active Directory Rights Management Services console, expand the SUB_SERVER-01node and then click Security Policies.

Screenshot (33).png

32 – In the Security Policies area, under Super Users, click Enable Super User.

Screenshot (35)Screenshot (37)

33 – In the Super Users box, in the Superuser group text box, type [email protected], and then click OK.

Screenshot (39)Screenshot (40)Screenshot (42)Screenshot (43)

34 – Open the Active Directory Rights Management Services console, then click Rights Policy Templates node and then in the Actions pane, click Create Distributed Rights Policy Template.Screenshot (44)

35 – In the Create Distributed Rights Policy Template Wizard box, on the Add Template Identification information box, click Add.

Screenshot (45)

36 – On the Add New Template Identification Information box, enter the following information and then click Add and click Next to proceed.

  • Language: English (United States)
  • Name: ReadOnly

Screenshot (46)Screenshot (47)

37 – On the Add User Rights box, click Add, then on the Add User or Group page, type [email protected] and then click OK to proceed.

Screenshot (49)Screenshot (50)Screenshot (51)

38 – When [email protected] is selected, under Rights, click ViewVerify that Grant owner (author) full control right with no expiration is selected, and then click Next.

Screenshot (52)

39 – On the Specify Expiration Policy box, choose the following settings and then click Next:

  • Content Expiration: Expires after the following duration (days): 14
  • Use license expiration: Expires after the following duration (days): 14

Screenshot (53)

40 – On the Specify Extended Policy box, click Require a new use license every time content is consumed (disable client-side caching), click Next, and then click Finish.

Screenshot (54)Screenshot (55)
Screenshot (56)

“Next step, let’s Configure the rights policy template Distribution”

41 – On the SUB_Server-01, open Windows PowerShell, and type:

New-Item c:\RMSTemplates -ItemType Directory


42 – Next, type:

New-SmbShare -Name RMSTEMPLATES -Path c:\RMSTemplates -FullAccess NewHelpTech\ADRMSVC


43 – Next type:

New-Item c:\DocShare -ItemType Directory


44 – Next type:

New-SmbShare -Name docshare -Path c:\DocShare -FullAccess Everyone


45 – Open the Active Directory Rights Management Services console, click the Rights Policy Templates node, and in the Distributed Rights Policy Templates area, click Change distributed rights policy templates file location, then in the Rights Policy Templates dialog box, click Enable Export.

Screenshot (62)Screenshot (64)

46 – Next, in the Specify Templates File Location (UNC), type \\SUB_SERVER-01\RMSTEMPLATES, and then click OK.

Screenshot (65)

47 – Next, open Windows Explorer and navigate to the C:\rmstemplates folder, and verify that ReadOnly.xml are Present.

Screenshot (66).png

Now, you have successfully configured AD RMS templates.

Verifying AD RMS Client

1 – Switch and sign in to CLIENT-01 as NewHelpTech\A.


2 – Open the Internet options, click the Security tab, click Local intranet, and then click Sites.

Screenshot (1)

3 – Click Advanced, type in the Add this website to the zone and then click Add.

Screenshot (2)Screenshot (3)

4 – Open a blank Word 2016 document and then type a Descriptive message in the document.

Screenshot (4)

5 – Click Protect Document using the File tab and navigate to Restrict AccessRestricted Accessthen Connect to Rights Management Services.

Screenshot (5)

6 – Select the Restrict permission to this Document checkbox in the Permission dialog box, and then type [email protected] in the Read text box.

7 – Type [email protected] in the Change text box.

8 – Click OK to close the Permission dialog box.

9 – Switch user as NewHelpTech\B and open File Explorer, and then browse to \\SUB_SERVER-01\ADMSV.

11 – Try to open the Test.docx file. Notice the message that displays.

12 – Click View Permission and verify that B user has the view permission.

Good luck! Just give it try – I’m sure you’ll love it as well. If you have any comments or questions on feel free to contact me.

That’s all for now. 🙂

Similar Posts


  1. Pingback: canada medication
  2. Pingback: buy viagra usa
  3. Pingback: canada drugs
  4. Pingback:
  5. Pingback: canadian drugs
  6. Pingback:
  7. Pingback: canadian rx
  8. Pingback:
  9. Pingback: meritroyalbet
  10. Pingback: meritroyalbet
  11. Pingback: madridbet
  12. Pingback: eurocasino
  13. Pingback:
  14. Pingback: bahis siteleri
  15. Pingback: 2surface
  16. Pingback: meritroyalbet
  17. Pingback:
  18. Pingback:
  19. Pingback:
  20. Pingback:
  21. Pingback: cialis from canada
  22. Pingback:
  23. Pingback:
  24. Pingback:
  25. Pingback: drugs for sale
  26. Pingback:
  27. Pingback: buy viagra 25mg
  28. Pingback: buy cialis cheap
  29. Pingback:
  30. Pingback:
  31. Pingback: buy cials online
  32. Pingback: cialis
  33. Pingback: buy cials online
  34. Pingback:
  35. Pingback:
  36. Pingback: drugs for sale
  37. Pingback: bahis siteleri
  38. Pingback: A片
  39. Pingback: porno}
  40. Pingback: buy viagra pills
  41. Pingback: meriking
  42. Pingback: buy viagra pills
  43. Pingback: madridbet
  44. Pingback: madridbet
  45. Pingback: buy viagra 25mg
  46. Pingback: stromectol rosacea
  47. Pingback: drugstore online
  48. Pingback: canadian pharmacy
  49. Pingback: canadian drug
  50. Pingback: buy generic viagra
  51. Pingback: canadian rx
  52. Pingback: canada drug
  53. Pingback: madridbet
  54. Pingback: logilogilogi
  55. Pingback: zamazingo1
  56. Pingback: canadian pharmacys
  57. Pingback: canada rx
  58. Pingback: logarkomx
  59. Pingback: Bahiscom
  60. Pingback: Betmatik
  61. Pingback: Betist
  62. Pingback: Cratosslot
  63. Pingback: Betlike
  64. Pingback: Betebet
  65. Pingback: Mariobet
  66. Pingback: Tempobet
  67. Pingback: Tipobet
  68. Pingback: Klasbahis
  69. Pingback: Vdcasino
  70. Pingback: Casinoeuro
  71. Pingback: imajbet
  72. Pingback: imajbet giris
  73. Pingback: Sahabet
  74. Pingback: stromectol generic
  75. Pingback: 1xbet
  76. Pingback: Bahigo
  77. Pingback: Bahis siteleri
  78. Pingback: Onwin
  79. Pingback: Kralbet
  80. Pingback: Tipobet Giriş
  81. Pingback: Betkolik
  82. Pingback: Casino Siteleri
  83. Pingback: Bettilt
  84. Pingback: Betasus
  85. Pingback: Dinamobet
  86. Pingback: Jojobet
  87. Pingback: Jojobet giriş
  88. Pingback: Hepsibahis
  89. Pingback: Marsbahis
  90. Pingback: drugstore online
  91. Pingback: meritking
  92. Pingback: canada viagra
  93. Pingback: grandpashabet
  94. Pingback: online drug store
  95. Pingback: canadian pharmacy
  96. Pingback: canada viagra
  97. Pingback: buy viagra usa
  98. Pingback: pharmacy
  99. Pingback: canadian viagra
  100. Pingback: canadianpharmacy
  101. Pingback: cialis from canada
  102. Pingback: canadian drugstore
  103. Pingback: online pharmacies
  104. Pingback: online pharmacy
  105. Pingback: canada drug
  106. Pingback: madridbet
  107. Pingback: fuck google
  108. Pingback: okey oyna
  109. Pingback: canadian rx
  110. Pingback: madridbet
  111. Pingback: buy viagra 25mg
  112. Pingback: pharmacy canada
  113. Pingback: buy viagra 25mg
  114. Pingback: canadian cialis
  115. Pingback: canada rx

Comments are closed.