Applies to: Exchange Server 2013

Topic Last Modified: 2012-12-10

For the following Microsoft Exchange Server 2013 Information Rights Management (IRM) features to be enabled, you must add the Federation mailbox (a system mailbox created by Exchange 2013 Setup) to the super users group on your organization's Active Directory Rights Management Services (AD RMS) cluster:

You can configure a mail-enabled distribution group as a super users group in AD RMS. Members of the distribution group are granted an owner use license when they request a license from the AD RMS cluster. This allows them to decrypt all RMS-protected content published by that cluster. Whether you use an existing distribution group or create a distribution group and configure it as the super users group in AD RMS, we recommend that you dedicate the distribution group for this purpose and configure the appropriate settings to approve, audit, and monitor membership changes.

Caution:
Configuring a super users group in AD RMS allows group members to decrypt IRM-protected content. We recommend that you take adequate measures to control and monitor group membership and enable auditing to track membership changes. You can also limit unwanted changes to group membership by configuring the group as a restricted group using Group Policy. For details, see Restricted Groups Policy Settings.

For additional management tasks related to IRM, see Information Rights Management Procedures.

What do you need to know before you begin?

  • Estimated time to complete: 15 minutes.

  • You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Distribution groups" entry in the Recipients Permissions topic.

  • An AD RMS cluster must be deployed in the Active Directory forest.

  • If a super users group is already configured on an AD RMS cluster, any modifications to the distribution group membership can take up to 24 hours to be refreshed by the AD RMS cluster. This is a result of caching the group membership on the cluster.

  • For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard Shortcuts in the Exchange Admin Center.

Tip:
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection

How do you do this?

Step 1: Use the Shell to add the Federation mailbox to a distribution group

If a distribution group has been created and configured as a super users group in the AD RMS cluster, you can add the Exchange 2013 Federation mailbox as a member of that group. If a super users group isn't configured, you must create a distribution group and add the Federation mailbox as a member.

  1. Create a distribution group dedicated for use as an AD RMS super users group. For details, see Manage Distribution Groups.

  2. Add the user FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042 to the new distribution group. The Federation mailbox is a system mailbox, and therefore not visible in the EAC. To add it to a distribution group, you must use the Add-DistributionGroupMember cmdlet from the Shell.

    This example adds the Federation mailbox to the ADRMSSuperUsers distribution group.

    Copy Code
    Add-DistributionGroupMember ADRMSSuperUsers -Member FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042
    

For detailed syntax and parameter information, see Add-DistributionGroupMember.

Step 2: Use AD RMS to set up a super users group

Perform the following procedure on an AD RMS cluster. The account used to perform this procedure must be a member of the AD RMS Enterprise Administrators local group on the AD RMS server.

  1. Open the Active Directory Rights Management Services console and expand the AD RMS cluster.

  2. In the console tree, expand Security Policies, and then click Super Users.

  3. In the action pane, click Enable Super Users.

  4. In the result pane, click Change Super User Group to open the Super Users property sheet.

  5. In the Super user group box, type the email address of the distribution group you created in the previous procedure, or click Browse to select a distribution group.

How do you know this worked?

After you have added the Federation mailbox to a new or existing distribution group, use the Get-DistributionGroupMember cmdlet to check the membership of the group.

For an example of how to check distribution group membership, see Example 1 in Get-DistributionGroupMember.

After you have used AD RMS to set up a super users group, you can use the following methods to verify that the super users group has been configured correctly. Additionally, you can use Test-IRMConfiguration cmdlet to verify IRM functionality.

  • Use the AD RMS console to verify that the correct group has been configured as the super users group.

  • Run the following PowerShell command on an AD RMS server to retrieve the super users group.

    Important:
    The ADRMSAdmin PowerShell module is available in Windows Server 2008 R2 and later.
    Copy Code
    Import-Module ADRMSAdmin
    New-PSDrive -Name MyRmsAdmin -PsProvider AdRmsAdmin -Root https://localhost 
    Get-ItemProperty -Path MyRmsAdmin:\SecurityPolicy\SuperUser