How to Configure Active Directory Rights Management Services on Windows Server 2012 R2

Active Directory Rights Management Services (AD RMS) on Windows Server 2012 R2 provides persistent data protection by embedding usage rights directly into documents, emails, and other content. Unlike traditional access control which only restricts who can access a file at the file system level, AD RMS policies travel with the content itself, enforcing permissions regardless of where the file is copied — preventing unauthorized printing, forwarding, copying, or screen capture even after the file leaves your organization’s storage systems. This guide covers deploying an AD RMS cluster, configuring rights policy templates, and integrating with Office applications and Outlook.

Prerequisites

AD RMS requires Active Directory Domain Services with Windows Server 2003 or higher functional level. A service account (domain user) is needed for the AD RMS service — it will be added to the local Administrators group during setup. An SSL certificate for the AD RMS cluster URL is required (e.g., rms.contoso.com). A SQL Server database is required for the AD RMS configuration database — SQL Server Express is included for small deployments but SQL Server Standard/Enterprise is recommended for production. The AD RMS server must be domain-joined. Clients must have a version of Office (2010 or later) or the AD RMS client to consume RMS-protected content.

Preparing the Service Account

# Create the AD RMS service account (standard domain user, not admin)
New-ADUser -Name "svc-rms" `
    -SamAccountName "svc-rms" `
    -UserPrincipalName "[email protected]" `
    -AccountPassword (ConvertTo-SecureString "RMSServicePass123!" -AsPlainText -Force) `
    -PasswordNeverExpires $true `
    -CannotChangePassword $true `
    -Enabled $true `
    -Description "AD RMS Service Account"

Installing the AD RMS Role

# Install AD RMS role with management tools
Install-WindowsFeature ADRMS -IncludeManagementTools

# Verify installation
Get-WindowsFeature ADRMS* | Where-Object {$_.InstallState -eq "Installed"}

Configuring the AD RMS Cluster

The AD RMS cluster is configured using the AD RMS console or PowerShell. For the first server in a new cluster, use the following configuration. Open Server Manager > Tools > Active Directory Rights Management Services and run the configuration wizard, or use the ADRMS cmdlets:

# Configure the AD RMS root cluster
# Use the ADRMS module for configuration
Import-Module ADRMS

# Configure AD RMS cluster via the console wizard
# Required inputs:
# 1. AD RMS Service Account: contososvc-rms (enter password when prompted)
# 2. Cryptographic Mode: Mode 2 (RSA 2048-bit keys, SHA-256 hashing) - RECOMMENDED
# 3. RMS Cluster Key Storage: AD RMS Centrally Managed Key (or HSM)
# 4. RMS Cluster Key Password: 
# 5. RMS Cluster Website: Default Web Site (port 443 recommended)
# 6. Cluster Address: https://rms.contoso.com (must resolve and have SSL cert)
# 7. Server Certificate: Select SSL cert for rms.contoso.com
# 8. Licensor Certificate Name: "Contoso RMS"
# 9. Database Server: .SQLEXPRESS or full SQL Server instance
# 10. Service Connection Point: Register SCP in AD (allow it to register)

Configure the RMS Cryptographic Mode to Mode 2 (more secure, required for modern clients):

# After installation, ensure Cryptographic Mode 2 is enabled # Check current mode Get-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesDRMSParameters" ` -Name "CryptographicMode" -ErrorAction SilentlyContinue # Set Mode 2 if not already configured Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesDRMSParameters" ` -Name "CryptographicMode" -Value 2 -Type DWord Restart-Service DRMS

Registering the Service Connection Point

The Service Connection Point (SCP) in Active Directory allows RMS-aware applications to automatically discover the RMS cluster URL. It should be registered during setup, but can be registered manually:

# Open AD RMS console # Navigate to AD RMS > [Cluster] > right-click > Properties > Service Connection Point # Click "Register SCP" if not already registered # Verify SCP registration in AD Get-ADObject -SearchBase "CN=Configuration,DC=contoso,DC=com" ` -Filter {objectClass -eq "serviceConnectionPoint" -and name -eq "RMS"} ` -Properties keywords | Select-Object Name, keywords

Creating Rights Policy Templates

Rights Policy Templates define the usage rights that will be applied to protected content. Templates are distributed to Office clients and allow users to select pre-defined protection levels:

# Open AD RMS Administration console # Navigate to: AD RMS > [Cluster] > Rights Policy Templates > Distributed Rights Policy Templates # Create templates via the console wizard: # Template 1: "Confidential - View Only" # Rights: View only, no print, no copy, no export # Expiry: Content expires in 30 days # Target: All authenticated users in the organization # Template 2: "Confidential - Internal Use Only" # Rights: View, Print (internal only) # No forward, no copy # Target: NT AUTHORITYAuthenticated Users # Template 3: "Do Not Forward (Email)" # Rights: View, Reply, Reply All - No Forward, No Print, No Copy # Specific to email scenarios in Outlook

Create templates via PowerShell using the ADRMS module:

# Connect to the AD RMS cluster $AdminUrl = "https://rms.contoso.com" Connect-RmsServer -Server $AdminUrl -Credential (Get-Credential "contososvc-rms") # Create a "Confidential View Only" template $Template = New-RmsRightsTemplate ` -Name "Confidential - View Only" ` -Description "Allows viewing only, no modification or forwarding" ` -EnableViewContentRight $true ` -EnableEditContentRight $false ` -EnablePrintRight $false ` -EnableForwardRight $false ` -EnableCopyRight $false ` -EnableExtractRight $false ` -ContentExpirationOption UseContentExpirationDate ` -ContentExpirationDays 90

Configuring Template Distribution

Templates must be distributed to client machines so Office applications can display them. Configure the template distribution point:

# Templates are distributed via the RMS cluster URL automatically # In the AD RMS console: Rights Policy Templates > # Set the template distribution URL # URL: https://rms.contoso.com/_wmcs/licensing # For Office 2013/2016 clients, configure via GPO: # User Configuration > Administrative Templates > Microsoft Office 2013 > # Manage Restricted Permissions > Specify Permission Policy path # Value: https://rms.contoso.com/_wmcs/licensing # For Active Directory-based template distribution: # Office looks for templates in AD via the SCP automatically # Or configure the registry path: reg add "HKCUSoftwareMicrosoftOffice15.0CommonDRM" /v "RMSTemplateSharePath" ` /t REG_SZ /d "\fileserverRMSTemplates" /f

Configuring Super Users

The Super Users group allows members (such as security officers or eDiscovery tools) to decrypt all RMS-protected content regardless of the original permissions:

# Enable the Super Users feature Set-AdRmsSuperUserGroup -Identity "contosoRMS-SuperUsers" -Action Enable # Create the Super Users group New-ADGroup -Name "RMS-SuperUsers" -GroupScope Universal -GroupCategory Security Add-ADGroupMember -Identity "RMS-SuperUsers" -Members "eDiscovery-SvcAccount" # Verify Super Users configuration Get-AdRmsSuperUserGroup

Configuring Federation for Cross-Organization Sharing

AD RMS can federate with other AD RMS deployments or Azure Rights Management to allow content sharing with partner organizations:

# Add a trusted user domain for a partner organization # In AD RMS console: Trust Policies > Trusted User Domains > Import # Import the partner organization's RMS Licensor Certificate (.BIN file) # Export your own Server Licensor Certificate for the partner to import certutil -exportPFX -privatekey My "Contoso RMS" "C:RMSCertContosoRMS.pfx" # Send the .cer portion to the partner organization

Verification

# Verify AD RMS cluster health # In the AD RMS console, check "Security Policies" and "Cluster Key Information" # Test RMS functionality from an Office client # In Word 2013: File > Info > Protect Document > Restrict Access # Select a template - if templates appear, RMS is working # Check AD RMS event log Get-WinEvent -LogName "Application" | Where-Object {$_.ProviderName -like "*DRMS*" -and $_.Level -le 3} | Select-Object TimeCreated, Id, Message | Format-List # Verify SCP is accessible Test-NetConnection -ComputerName rms.contoso.com -Port 443

Summary

Active Directory Rights Management Services on Windows Server 2012 R2 provides persistent, content-centric data protection that follows documents wherever they travel. The deployment involves: installing and configuring the AD RMS cluster with Cryptographic Mode 2 for maximum security, registering the Service Connection Point in Active Directory, creating rights policy templates that define allowed operations, and distributing templates to clients via Group Policy. Super Users should be configured for compliance and eDiscovery purposes. AD RMS is most effective when combined with data classification to automatically apply protection to sensitive content as it is created.

Related articles

The Great Escape: Breaking Free from Windows Server with Linux
Server Management
How Fail2Ban Works to Protect Services on a Linux Server
How To Configure a Clustered Web Server with Varnish and Nginx on Ubuntu 13.10
IT Solutions & Services
Empowering Clusters: Open-Source Platforms Driving Adaptive Cluster Management
AI-Powered Cluster Management: Revolutionizing Resource Allocation and Performance Optimization
Software-Defined Networking (SDN): Navigating Ongoing Developments in Network Management, Automation, and Scalability

Links

Newsletter

Contact