5.3. Configuring AD RMS Super Users
To use the IRM in Outlook Web
App, IRM for Exchange Search, transport decryption, or journal report
decryption functionality in Exchange Server 2010, the Super Users
feature in AD RMS must be enabled and assigned to a group containing
the Federated Delivery Mailbox. There is only one Federated Delivery Mailbox per organization, and it is created by the /PrepareAD
process. If this mailbox is deleted or disabled, IRM functionality will
not work; the associated Active Directory account for the Federated
Delivery Mailbox is disabled by default. You can re-create the
Federated Delivery Mailbox if necessary by running /PrepareAD again.
Enable and configure the AD RMS Super Users feature by following these steps:
If a Super Users group is not already created, create a distribution group named ADRMSSuperUsers and add the FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042 user to this group.
Log
on to a server in the AD RMS cluster with an Active Directory account
that is a member of the AD RMS Enterprise Administrators local group.
Start
the Active Directory Rights Management Services management console from
Administrative Tools and expand the cluster in the left-hand pane.
In
the console tree in the left-hand pane, expand Security Policies and
then select Super Users. Click Enable Super Users from the Actions
pane, as shown in Figure 11.
Back in the Results pane, click Change Super User Group as shown in Figure 12. In the Super Users dialog box, type in the e-mail address of the Super Users group created in Step 1, or click Browse to select the group from Active Directory. Click OK to apply the group.
Note:
If
Super Users is already enabled for a group, and the Federated Delivery
Mailbox is later added to that group, it may take between 12 and 24
hours for the change to take effect because AD RMS caches group
memberships in SQL and only updates them from Active Directory when
this cache has expired.
