The following procedure describes how to set the access control list (ACL) on the GroupExpansion folder and the GroupExpansion.asmx file, assuming that there are only the two forests (Forest1 and Forest2) in the organization. If you have more than two forests, repeat the procedure as necessary to configure the ACLs on all the servers in the Active Directory Rights Management Services (AD RMS) cluster.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To set the ACL on the GroupExpansion folder and GroupExpansion.asmx file
  1. Log on to a server of your AD RMS cluster in Forest1.

  2. Click Start, and then click Computer.

  3. Navigate to the %systemdrive%\inetpub\wwwroot\_wmcs folder.

  4. Right-click GroupExpansion folder, and then click Properties.

  5. Click the Security tab, and then click Edit.

  6. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

  7. Click Add, add the AD RMS service account from Forest2, for example, Forest2\ADRmsServiceAccount, and then click OK to close the dialog box. Continue to click OK until all of the open dialog boxes are closed.

  8. Repeat steps 1–7 for the GroupExpansion.asmx file located in the GroupExpansion folder.

  9. At a command prompt, type iisreset, and then press ENTER to restart Internet Information Services.

Additional reference