Active Directory Rights Management Services
Applies To: Windows Server 2008 R2, Windows Server 2012
Active Directory Rights Management Services (AD RMS) for the Windows Server 2008 R2 operating system is information protection technology that works with AD RMS-enabled applications to help safeguard digital information from unauthorized use, both online and offline, and inside and outside of a firewall. AD RMS is designed for organizations that need to protect sensitive and proprietary information such as financial reports, product specifications, customer data, and confidential e-mail messages. AD RMS augments an organization's security strategy by providing protection of information through persistent usage policies (also known as usage rights and conditions), which remain with the information no matter where it is moved. AD RMS persistently protects any binary format of data, so the usage rights remain with the information rather than in an organization's network. This also enables usage rights to be enforced after the information is accessed by an authorized recipient, both online and offline, and inside and outside of the organization. AD RMS helps protect information through persistent usage policies by establishing the following essential elements:
Trusted entities. Organizations can specify the entities, such as individuals, groups of users, computers, and applications that are trusted participants in an AD RMS system. By establishing trusted entities, AD RMS can help protect information by enabling access only to properly trusted participants.
Usage rights and conditions. Organizations and individuals can assign usage rights and conditions that define how a specific trusted entity can use rights-protected content. Examples of usage rights are permission to read, copy, print, save, forward, and edit. Usage rights can be accompanied by conditions, such as when those rights expire. Organizations can exclude applications and entities from accessing the rights-protected content.
Encryption. Encryption is the process by which data is locked by using electronic keys. AD RMS encrypts information. This makes access conditional on the successful validation of the trusted entities. Once information is locked, only trusted entities that were granted usage rights under the specified conditions (if any) can unlock or decrypt the information in an AD RMS-enabled application or browser. The defined usage rights and conditions will then be enforced by the application.
The following topics provide information to assist you in accomplishing administrative tasks by using the Active Directory Rights Management Services console. Review the following topics to learn more about how to work with your AD RMS cluster.
Pre-installation Information for Active Directory Rights Management Services
Checklist: Deploying AD RMS in an Organization with Users in Multiple Forests
Checklist: Deploying AD RMS with Microsoft Federation Gateway Support
You can configure and manage AD RMS by using either the Windows interface or Windows PowerShell. The topics listed here describe methods for using the Windows interface. For more information about how to use Windows PowerShell for AD RMS, see https://go.microsoft.com/fwlink/?LinkId=136806.
For more information about how to plan, deploy, and troubleshoot AD RMS, see the Active Directory Rights Management Services TechCenter (https://go.microsoft.com/fwlink/?LinkId=80907).