What is Active Directory Rights Management Service

What is Active Directory Rights Management Service

In this blog post, I will explain to you What is Active Directory Rights Management Service and how is it useful for your business.

Active Directory Rights Management Services is a Microsoft security tool that provides data protection by enforcing data access policies. You can protect documents with the help of AD RMS.

If you are concerned about data theft or unauthorized access of your files/folder offline. When we know that data can be transferred easily in various ways these days. That’s where AD RMS comes into play. It is a perfect solution by Microsoft to overcome data theft issues.

This feature was Introduced in Windows 2008 Server and continued to be used with 2016 server although things changed in Azure, It was Introduced with some advanced features such as MFA (Multi-factor Authentication) and document tracking.

It helps protect your information outside direct control, you can also set fine-grained usage policy on the files you wish to protect via RMS and you can even protect your files when it’s not under your control such as files saved on an external USB drive and still protected.

There are two important components of AD RMS which is required to be configured properly to work efficiently:

AD RMS Client & AD RMS Server

We will discuss these components one by one.

AD RMS Client

They were first introduced in Windows Vista Operating System this component of AD RMS is installed already on Vista and above operating systems, however, you can always download RMS Client for earlier older operating systems (XP, 2003, SBS) to make it compatible with your RMS Server.

Click here to download previous RMS Clients.

It’s not a separate application instead you can look for this file msdrm.dll under %windir%/system32 directory. msdrm.dll stands for Microsoft Digital Rights Management.

AD RMS Server

The server component is implemented as a set of web services that can be used to administer an RMS infrastructure, issue licenses to content consumers and publishers, and issue certificates to computers and users. Just like RMS Client, it is present in 2008 and higher operating systems however you can install the AD RMS server on a lower version to make them work.

To configure the server component you must install the AD RMS Role from server manager.

There are some prerequisites to install AD RMS Server (Best Practices)
  1. Install the AD RMS server as a member server in the same Active Directory Domain.
  2. Create a domain user account that will be used as the AD RMS service account.
  3. Consider the following points while creating the service account: This account requires the logon locally right on the AD RMS server.
  • This account does not require an e-mail account.
  • If AD RMS is installed on a Domain Controller the service account should have Domain Administrator permissions or higher.
  • The user account installing AD RMS must differ from the AD RMS service account.
  • If you are registering the AD RMS service connection point (SCP) during installation, the user account installing AD RMS must be a member of the AD DS Enterprise Administrators group.
  • If you are using an external database server for the AD RMS databases, the user account installing AD RMS must have the right to create new databases.
  • If Microsoft SQL Servers is used, the user account must be a member of the System Administrators database role.