Applies to: Exchange Server 2013
Topic Last Modified: 2012-12-10
For the following Microsoft Exchange Server 2013 Information Rights Management (IRM) features to be enabled, you must add the Federation mailbox (a system mailbox created by Exchange 2013 Setup) to the super users group on your organization's Active Directory Rights Management Services (AD RMS) cluster:
- IRM in Microsoft Office Outlook Web App
- IRM in Exchange ActiveSync
- Journal report decryption
- Transport decryption
You can configure a mail-enabled distribution group as a super users group in AD RMS. Members of the distribution group are granted an owner use license when they request a license from the AD RMS cluster. This allows them to decrypt all RMS-protected content published by that cluster. Whether you use an existing distribution group or create a distribution group and configure it as the super users group in AD RMS, we recommend that you dedicate the distribution group for this purpose and configure the appropriate settings to approve, audit, and monitor membership changes.
Caution: |
---|
Configuring a super users group in AD RMS allows group members to decrypt IRM-protected content. We recommend that you take adequate measures to control and monitor group membership and enable auditing to track membership changes. You can also limit unwanted changes to group membership by configuring the group as a restricted group using Group Policy. For details, see Restricted Groups Policy Settings. |
For additional management tasks related to IRM, see Information Rights Management Procedures.
What do you need to know before you begin?
- Estimated time to complete: 15 minutes.
- You need to be assigned permissions before you can perform this
procedure or procedures. To see what permissions you need, see the
"Distribution groups" entry in the Recipients
Permissions topic.
- An AD RMS cluster must be deployed in the Active Directory
forest.
- If a super users group is already configured on an AD RMS
cluster, any modifications to the distribution group membership can
take up to 24 hours to be refreshed by the AD RMS cluster.
This is a result of caching the group membership on the
cluster.
- For information about keyboard shortcuts that may apply to the
procedures in this topic, see Keyboard Shortcuts in
the Exchange Admin Center.
Tip: |
---|
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection |
How do you do this?
Step 1: Use the Shell to add the Federation mailbox to a distribution group
If a distribution group has been created and configured as a super users group in the AD RMS cluster, you can add the Exchange 2013 Federation mailbox as a member of that group. If a super users group isn't configured, you must create a distribution group and add the Federation mailbox as a member.
- Create a distribution group dedicated for use as an AD RMS
super users group. For details, see Manage Distribution
Groups.
- Add the user
FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042 to the
new distribution group. The Federation mailbox is a system mailbox,
and therefore not visible in the EAC. To add it to a distribution
group, you must use the Add-DistributionGroupMember
cmdlet from the Shell.
This example adds the Federation mailbox to the ADRMSSuperUsers distribution group.
Copy Code Add-DistributionGroupMember ADRMSSuperUsers -Member FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042
For detailed syntax and parameter information, see Add-DistributionGroupMember.
Step 2: Use AD RMS to set up a super users group
Perform the following procedure on an AD RMS cluster. The account used to perform this procedure must be a member of the AD RMS Enterprise Administrators local group on the AD RMS server.
- Open the Active Directory Rights Management Services console
and expand the AD RMS cluster.
- In the console tree, expand Security Policies, and then
click Super Users.
- In the action pane, click Enable Super Users.
- In the result pane, click Change Super User Group to
open the Super Users property sheet.
- In the Super user group box, type the email address of
the distribution group you created in the previous procedure, or
click Browse to select a distribution group.
How do you know this worked?
After you have added the Federation mailbox to a new or existing distribution group, use the Get-DistributionGroupMember cmdlet to check the membership of the group.
For an example of how to check distribution group membership, see Example 1 in Get-DistributionGroupMember.
After you have used AD RMS to set up a super users group, you can use the following methods to verify that the super users group has been configured correctly. Additionally, you can use Test-IRMConfiguration cmdlet to verify IRM functionality.
- Use the AD RMS console to verify that the correct group has
been configured as the super users group.
- Run the following PowerShell command on an AD RMS server to
retrieve the super users group.
Important: The ADRMSAdmin PowerShell module is available in Windows Server 2008 R2 and later. Copy Code Import-Module ADRMSAdmin New-PSDrive -Name MyRmsAdmin -PsProvider AdRmsAdmin -Root https://localhost Get-ItemProperty -Path MyRmsAdmin:\SecurityPolicy\SuperUser