Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2012-07-23
For the following Microsoft Exchange Server 2010 Information Rights Management (IRM) features to be enabled, you must add the Federation mailbox (a system mailbox created by Exchange 2010 Setup) to the super users group on your organization's Active Directory Rights Management Services (AD RMS) cluster:
- IRM in Microsoft Office Outlook Web App
- Journal report decryption
- Transport decryption
You can configure a mail-enabled distribution group as a super users group in AD RMS. Members of the distribution group are granted an owner use license when they request a license from the AD RMS cluster. This allows them to decrypt all RMS-protected content published by that cluster. Whether you use an existing distribution group or create a distribution group and configure it as the super users group in AD RMS, we recommend that you dedicate the distribution group for this purpose and configure the appropriate settings to approve, audit, and monitor membership changes.
Note: |
---|
If a super users group is already configured on an AD RMS cluster, any modifications to the distribution group membership can take up to 24 hours to be refreshed by the AD RMS cluster. This is a result of caching the group membership on the cluster. |
Looking for other management tasks related to IRM? Check out Managing Information Rights Management.
Prerequisites
An AD RMS cluster is deployed in the Active Directory forest.
Use the Shell to add the Federation mailbox to a distribution group
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Distribution groups" entry in the Mailbox Permissions topic.
If a distribution group has been created and configured as a super users group in the AD RMS cluster, you can add the Exchange 2010 Federation mailbox as a member of that group. If a super users group isn't configured, you must create a distribution group and add the Federation mailbox as a member.
- Create a distribution group dedicated for use as an AD RMS
super users group. For details, see Create a Distribution
Group.
- Add the user
FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042 to the
new distribution group. The Federation mailbox is a system mailbox,
and therefore not visible in the EMC. To add it to a distribution
group, you must use the Add-DistributionGroupMember
cmdlet from the Shell.
This example adds the Federation mailbox to the ADRMSSuperUsers distribution group.
Copy Code Add-DistributionGroupMember ADRMSSuperUsers -Member FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042
For detailed syntax and parameter information, see Add-DistributionGroupMember.
Use AD RMS to set up a super users group
Perform the following procedure on an AD RMS cluster. The account used to perform this procedure must be a member of the AD RMS Enterprise Administrators local group on the AD RMS server.
- Open the Active Directory Rights Management Services console
and expand the AD RMS cluster.
- In the console tree, expand Security Policies, and then
click Super Users.
- In the action pane, click Enable Super Users.
- In the result pane, click Change Super User Group to
open the Super Users property sheet.
- In the Super user group box, type the e-mail address of
the distribution group you created in the previous procedure, or
click Browse to select a distribution group.
Other Tasks
After you add the Federation mailbox to the AD RMS super users group, you may also want to: