Active Directory Right Management Services: Installation and Configuration

AD RMS (Active Directory Right Management) is a Windows Server service that provides extended rights management for certain files. The system is similar to the DRM protection that protects intellectual property.

In internal use, AD RMS extends NTFS security rights by limiting actions on a Word file by preventing the printing or saving of a copy. In order to increase security, the file is encrypted which makes it unreadable.

It is possible to open the AD RMS service externally by using the ADFS service.

Principle of operation

In order to understand the AD RMS service, here is an example for the end user.

In order to protect the operating documents drafted by the PLAN for the BUILD teams, the AD RMS service is used internally.

When a document is served, RMS rights are applied to the document so that only those who are learning in the IT_BUILD group can open it without making any changes or printing. This one is then broadcast by email as an attachment.

When opening a copy of the document, it contacts the RMS server to validate the rights applied to the document to find out if the person can open it and interact with it.

Schematic overview of how AD RMS works

Here is a schematic representation of how the AD RMS service works.