How to Set Up Windows Server 2016 Active Directory Rights Management
Active Directory Rights Management Services (AD RMS) is an information protection technology that works with AD RMS-enabled applications to help safeguard sensitive documents and email from unauthorized use. When content is protected using AD RMS, usage policies are embedded directly in the file — specifying who can open it, what they can do (read, edit, print, forward), and for how long. Unlike file system permissions that reside on a server, AD RMS policies travel with the document regardless of where it is stored or sent, making it an effective solution for preventing data leakage.
How AD RMS Works
When a user protects a document or email with AD RMS, the client application contacts the AD RMS cluster to obtain a publishing license that encrypts the content and embeds the use policy. When a recipient tries to open the content, the RMS client application contacts the AD RMS cluster to obtain a use license, which is granted only if the recipient’s identity matches the policy. All of this happens transparently to the end user. The AD RMS cluster must be reachable for protected content to be opened.
Prerequisites
AD RMS requires an Active Directory domain, a service account with sufficient permissions, a SQL Server instance for the configuration database, and a valid SSL certificate for the AD RMS cluster URL. The service account must be a domain user (not a local account) but does not require Domain Admin privileges. Pre-create the service account before installation:
New-ADUser -Name "svc-adrms" -SamAccountName "svc-adrms" -UserPrincipalName "[email protected]" `
-AccountPassword (ConvertTo-SecureString "P@ssw0rd123!" -AsPlainText -Force) `
-PasswordNeverExpires $true -CannotChangePassword $true -Enabled $true
Add-ADGroupMember -Identity "Enterprise Admins" -Members "svc-adrms"Step 1: Install the AD RMS Role
Install the AD RMS server role and management tools:
Install-WindowsFeature ADRMS -IncludeAllSubFeature -IncludeManagementToolsVerify the installation:
Get-WindowsFeature ADRMS* | Select Name, InstallStateStep 2: Configure the AD RMS Root Cluster
Open the AD RMS console from Server Manager and run the configuration wizard. The wizard configures the cluster URL, service account, database, and cryptographic settings. For an automated installation, you can use the Install-AdrmsCluster cmdlet, though the GUI wizard is more commonly used for initial setup due to the complexity of required parameters.
Before running the wizard, create the AD RMS Service Connection Point container in AD:
# Verify the SCP can be registered
$adPath = "LDAP://CN=RightsManagementServices,CN=Services," + (Get-ADRootDSE).configurationNamingContext
[ADSI]$adObj = $adPath
Write-Host "AD RMS SCP path ready: $adPath"After running the configuration wizard, verify the AD RMS cluster is registered in Active Directory:
Get-ADObject -Filter { ObjectClass -eq "serviceConnectionPoint" } -SearchBase "CN=Services,$((Get-ADRootDSE).configurationNamingContext)" | Where-Object { $_.Name -like "*RMS*" } | Select Name, DistinguishedNameStep 3: Configure the SSL Certificate
AD RMS requires HTTPS for all communications. Bind the SSL certificate to IIS after configuration:
Import-Module WebAdministration
$certThumbprint = "A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2"
New-WebBinding -Name "Default Web Site" -Protocol https -Port 443 -HostHeader "rms.corp.local"
# Bind certificate to the HTTPS binding
$binding = Get-WebBinding -Name "Default Web Site" -Protocol https
$binding.AddSslCertificate($certThumbprint, "My")Step 4: Configure Rights Policy Templates
Rights policy templates define reusable sets of permissions that users can apply to content. Create templates for common scenarios like Confidential (view only) or Internal Use (read and print):
# Import the ADRMS module
Import-Module ADRMS
# Connect to the AD RMS cluster
Connect-RmsCertificationPipeline -ConnectionString "https://rms.corp.local"
# List existing policy templates
Get-RmsTemplate | Select -Property TemplateName, IsEnabled
# Create a new rights policy template
$rightsDefinition = New-RmsRightsDefinition -UserEmail "[email protected]" -Right @("VIEW","VIEWRIGHTSDATA")
New-RmsProtectionTemplate -Name "Confidential - View Only" -Description "Recipients can only view the document" -RightsDefinition $rightsDefinition -ValidityPeriodInDays 365Step 5: Configure Trusted User Domains
Trusted User Domains (TUDs) allow your AD RMS cluster to issue use licenses to users from other AD RMS deployments or external organizations. Export your trusted publishing domain and share it with trusted partners:
# Export the Trusted Publishing Domain certificate
certutil -dump "C:RMSTPD.xml"
# Add a trusted user domain from a partner organization
# Import their TPD file first
# In the AD RMS console: Trust Policies > Trusted User Domains > Import Trusted User DomainStep 6: Configure AD RMS for Office Integration
Deploy the AD RMS cluster URL via Group Policy so Office applications can discover the RMS server automatically:
# The AD RMS SCP in Active Directory enables auto-discovery
# Verify the SCP URL is correct
Get-ItemProperty -Path "HKLM:SOFTWAREMicrosoftMSDRMServiceLocationActivation" -ErrorAction SilentlyContinue
# Set RMS URL via registry for manual configuration if SCP is not used
$rmsUrl = "https://rms.corp.local"
New-ItemProperty -Path "HKCU:SoftwareMicrosoftOffice16.0CommonDRM" -Name "DefaultServer" -Value $rmsUrl -PropertyType String -ForceStep 7: Verify AD RMS Functionality
Test AD RMS by protecting a document from Word or Outlook and verifying the use license can be obtained:
# Check AD RMS service health
Get-Service ADRMS | Select Status, StartType
# View AD RMS event log
Get-EventLog -LogName "Application" -Source "DRMS*" -Newest 20 | Select TimeGenerated, EntryType, Message
# Verify AD RMS certification pipeline is responding
Invoke-WebRequest -Uri "https://rms.corp.local/_wmcs/certification/ServiceLocator.asmx" -UseBasicParsing | Select StatusCodeStep 8: Configure AD RMS Exclusion Policies
Exclusion policies allow you to block specific user accounts, application versions, or lockbox versions from obtaining use licenses — useful for revoking access after a security incident:
# Enable user exclusion for a compromised account
# In AD RMS console: Security Policies > Exclusion Policies > User Exclusion
# Add the compromised user's email address
# Check current exclusion policies via registry
Get-ItemProperty "HKLM:SOFTWAREMicrosoftDRMS1.0Exclusion" -ErrorAction SilentlyContinueAD RMS provides persistent, policy-enforced protection for sensitive information that remains with the content regardless of its location. Combined with Microsoft Information Protection and Azure RMS, it forms a comprehensive enterprise data protection strategy that addresses both internal and cloud-based information security requirements.
