The AD RMS super user group is a special group that has full control over all rights-protected content managed by the cluster. Its members are granted full owner rights in all use licenses that are issued by the AD RMS cluster on which the super users group is configured. This means that members of this group can decrypt any rights-protected content file and remove rights-protection from it.

The super users group is not enabled and is not assigned a group by default. When you enable the Super Users setting in the Active Directory Rights Management Services console, you can specify an Active Directory Domain Services (AD DS) universal group to use as the super users group for AD RMS. The group must exist in the same forest as the AD RMS installation. Any user accounts that are members of the group that you specify as the AD RMS super users group are automatically granted the permissions of the super users group.


Enabling the super users group should be done only on an as-needed basis. During normal operations, the super users group should be disabled. It should be enabled only when it can be justified.

Membership in the local AD RMS Enterprise Administrators, or equivalent, is the minimum required to complete this procedure.

To set up a super users group
  1. Open the Active Directory Rights Management Services console and expand the AD RMS cluster.

  2. In the console tree, expand Security Policies, and then click Super Users.

  3. In the Actions pane, click Enable Super Users.

  4. In the results pane, click Change Super User Group to open the Super Users properties sheet.

  5. In the Super user group box, type the e-mail address of an existing group in the Active Directory forest, or click Browse to navigate through the defined users and groups in the directory.

  6. Click OK.

Additional considerations

Additional reference