During installation, Active Directory Rights Management Services (AD RMS) creates the AD RMS Service Group on the local computer and grants it appropriate permissions on all of the resources that are required for AD RMS to operate. When you provision AD RMS on a server, you must define a domain account for use as the AD RMS service account.

That account is made a member of the AD RMS Service Group, and it is granted the permissions that are associated with this group. During routine operations, AD RMS runs under the AD RMS service account.

You can change the AD RMS service account at any time. When you do so, the previously specified account is automatically removed from the AD RMS Service Group, and the new account is made a member of it. If there is more than one server in the AD RMS cluster where you are changing the AD RMS service account, you must change the service account on all servers in the cluster.

To run the Change Service Account wizard, you must be logged on locally on the AD RMS server with a user account that has administrative privileges to the configuration database.


For security reasons, we highly recommend that you create a special user account to use as the AD RMS service account, and that you use this account only as the AD RMS service account and for no other purpose. In addition, you should not grant this account any additional permissions.

Membership in the AD RMS Enterprise Administrators and the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To change the AD RMS Service Account
  1. Open the Active Directory Rights Management Services console and select the AD RMS cluster.

  2. In the Actions pane, click Change Service Account.

  3. In the Change Service Account wizard, read the text on the Before Changing the AD RMS Service Account page, and then click Next.

  4. In the User name box, specify the name of the account within which AD RMS will run for most operations. The user name should use the format domain_name\user_name. In the Password box, type the password for the associated user account.

  5. Click Next, and then click Finish.

  6. Repeat steps 1–5 for each server in the AD RMS cluster.


The AD RMS service account cannot be the same domain account that was used to install AD RMS.

Additional considerations

Additional reference