-->
AD RMS running on Windows Server 2012 R2 or Windows Server 2012 meets the requirements of FIPS 140-2 when this server role is deployed as described in FIPS Compliance Issues for RMS.
This is accomplished through Windows Rights Management and it is implemented via a rights management server (a Windows Server 2003 machine with the rights management service installed). In this article, we'll take a look at what RMS is, how it works and how it integrates with Office 2003.
Applies to
- Windows 10
Provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in Windows.User rights govern the methods by which a user can log on to a system. User rights are applied at the local device level, and they allow users to perform tasks on a device or in a domain. User rights include logon rights and permissions. Logon rights control who is authorized to log on to a device and how they can log on. User rights permissions control access to computer and domain resources, and they can override permissions that have been set on specific objects. User rights are managed in Group Policy under the User Rights Assignment item.
Each user right has a constant name and a Group Policy name associated with it. The constant names are used when referring to the user right in log events. You can configure the user rights assignment settings in the following location within the Group Policy Management Console (GPMC) underComputer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights Assignment, or on the local device by using the Local Group Policy Editor (gpedit.msc).
For information about setting security policies, see Configure security policy settings.
The following table links to each security policy setting and provides the constant name for each. Setting descriptions contain reference information, best practices for configuring the policy setting, default values, differences between operating system versions, and considerations for policy management and security.
Group Policy Setting | Constant Name |
---|---|
Access Credential Manager as a trusted caller | SeTrustedCredManAccessPrivilege |
Access this computer from the network | SeNetworkLogonRight |
Act as part of the operating system | SeTcbPrivilege |
Add workstations to domain | SeMachineAccountPrivilege |
Adjust memory quotas for a process | SeIncreaseQuotaPrivilege |
Allow log on locally | SeInteractiveLogonRight |
Allow log on through Remote Desktop Services | SeRemoteInteractiveLogonRight |
Back up files and directories | SeBackupPrivilege |
Bypass traverse checking | SeChangeNotifyPrivilege |
Change the system time | SeSystemtimePrivilege |
Change the time zone | SeTimeZonePrivilege |
Create a pagefile | SeCreatePagefilePrivilege |
Create a token object | SeCreateTokenPrivilege |
Create global objects | SeCreateGlobalPrivilege |
Create permanent shared objects | SeCreatePermanentPrivilege |
Create symbolic links | SeCreateSymbolicLinkPrivilege |
Debug programs | SeDebugPrivilege |
Deny access to this computer from the network | SeDenyNetworkLogonRight |
Deny log on as a batch job | SeDenyBatchLogonRight |
Deny log on as a service | SeDenyServiceLogonRight |
Deny log on locally | SeDenyInteractiveLogonRight |
Deny log on through Remote Desktop Services | SeDenyRemoteInteractiveLogonRight |
Enable computer and user accounts to be trusted for delegation | SeEnableDelegationPrivilege |
Force shutdown from a remote system | SeRemoteShutdownPrivilege |
Generate security audits | SeAuditPrivilege |
Impersonate a client after authentication | SeImpersonatePrivilege |
Increase a process working set | SeIncreaseWorkingSetPrivilege |
Increase scheduling priority | SeIncreaseBasePriorityPrivilege |
Load and unload device drivers | SeLoadDriverPrivilege |
Lock pages in memory | SeLockMemoryPrivilege |
Log on as a batch job | SeBatchLogonRight |
Log on as a service | SeServiceLogonRight |
Manage auditing and security log | SeSecurityPrivilege |
Modify an object label | SeRelabelPrivilege |
Modify firmware environment values | SeSystemEnvironmentPrivilege |
Perform volume maintenance tasks | SeManageVolumePrivilege |
Profile single process | SeProfileSingleProcessPrivilege |
Profile system performance | SeSystemProfilePrivilege |
Remove computer from docking station | SeUndockPrivilege |
Replace a process level token | SeAssignPrimaryTokenPrivilege |
Restore files and directories | SeRestorePrivilege |
Shut down the system | SeShutdownPrivilege |
Synchronize directory service data | SeSyncAgentPrivilege |
Take ownership of files or other objects | SeTakeOwnershipPrivilege |
Related topics
-->Applies To: Windows Server 2012 R2, Windows Server 2012
Did you know that Microsoft Azure provides similar functionality in the cloud? Learn more about Microsoft Azure identity solutions. Create a hybrid identity solution in Microsoft Azure: - Learn about Azure Rights Management. - Deploy the Azure Rights Management Connector. |
This document provides an overview of Active Directory Rights Management Services (AD RMS) in Windows Server® 2012. AD RMS is the server role that provides you with management and development tools that work with industry security technologies—including encryption, certificates, and authentication—to help organizations create reliable information protection solutions.
Did you mean…
Role description
AD RMS can be used to augment the security strategy for your organization by protecting documents using information rights management (IRM).
AD RMS allows individuals and administrators through IRM policies to specify access permissions to documents, workbooks, and presentations. This helps prevent sensitive information from being printed, forwarded, or copied by unauthorized people. After permission for a file has been restricted by using IRM, the access and usage restrictions are enforced no matter where the information is, because the permission to a file is stored in the document file itself.
AD RMS and IRM help individuals enforce their personal preferences concerning the transmission of personal or private information. They also help organizations enforce corporate policy governing the control and dissemination of confidential or proprietary information.
Note
AD RMS running on Windows Server 2012 R2 or Windows Server 2012 meets the requirements of FIPS 140-2 when this server role is deployed as described in FIPS Compliance Issues for RMS.
Practical applications
IRM solutions that AD RMS enables are used to help provide the following:
- Persistent usage policies, which remain with the information, no matter where it is moved, sent or forwarded.
- An additional layer of privacy to protect sensitive information —such as financial reports, product specifications, customer data, and confidential e-mail messages—from intentionally or accidentally getting into the wrong hands.
- Prevent an authorized recipient of restricted content from forwarding, copying, modifying, printing, faxing, or pasting the content for unauthorized use
- Prevent restricted content from being copied by using the Print Screen feature in Microsoft Windows
- Support file expiration so that content in documents can no longer be viewed after a specified period of time
- Enforce corporate policies that govern the use and dissemination of content within the company
IRM-based solutions that AD RMS supports cannot prevent all types of threats to the security of sensitive documents or prevent disclosure of screen readable information under all circumstances. For example, the following are some types of document security threats that AD RMS does not address or mitigate:
- Content from being erased, stolen, or captured and transmitted by malicious programs such as Trojan horses, keystroke loggers, and certain types of spyware
- Content from being lost or corrupted because of the actions of computer viruses
- Restricted content from being hand-copied or retyped from a display on a recipient's screen
- A recipient from taking a digital photograph of the restricted content displayed on a screen
- Restricted content from being copied by using third-party screen-capture programs
For more information about how AD RMS can be used to design secure document collaboration, see AD RMS Architecture Design and Secure Collaboration Scenarios.
For information about how AD RMS can secure all file types, see How RMS protects all file types – by using the RMS sharing app.
New and changed functionality
Windows Server Rights Management Services
Several improvements have been made to the Windows Server 2012 version of AD RMS. These enhancements are covered online in the article What’s New in AD RMS?
Server Manager information
The installation of AD RMS role services can be performed through the Server Manager. The following role services can be installed:
Role service | Description |
---|---|
Active Directory Rights Management Server | The Active Directory Rights Management Server is a required role service that installs all AD RMS features used to publish and consume rights-protected content. |
Identity Federation Support | The identity federation support role service is an optional role service that allows federated identities to consume rights-protected content by using Active Directory Federation Services. |
Upgrading or migrating
If you are running a version of Rights Management that you want to upgrade or migrate to the latest version, use the following resources:
- To upgrade or migrate to Active Directory Rights Management (AD RMS): RMS to AD RMS Migration and Upgrade Guide
- To migrate to Azure Rights Management (Azure RMS): Migrating from AD RMS to Azure Rights Management
Windows Server Rights Management Services Cal
See also
The following table provides additional resources for evaluating AD RMS.
Content type | References |
---|---|
Product evaluation | - Test Lab Guide: Deploying an AD RMS Cluster |
Deployment | - How AD RMS Works - RMS to AD RMS Migration and Upgrade Guide - AD RMS Infrastructure Deployment Tips - Using AD RMS with Hardware Security Modules - Deploying Active Directory Rights Management Services with Active Directory Federation Services - Active Directory Rights Management Services Mobile Device ExtensionTip: Have a problem with your AD RMS deployment, or just want to check the health of your AD RMS infrastructure? Download and run the RMS Analyzer. |
Community resources | - Roadmap for AD RMS documentation in TechNet Library: AD RMS Documentation Roadmap - Frequently asked questions (FAQs) on the TechNet wiki: Active Directory Rights Management Services (AD RMS) Frequently Asked Questions (FAQ) - Support forum: RMS Forum - Product team blog for IT professionals: AD RMS Team Blog - AD RMS Developer's Corner Blog: AD RMS Developer's Corner Blog - Script repository: TechNet Script Center Repository (search for RMS, AD RMS or rights management). - Community technology overview on the TechNet wiki: Active Directory Rights Management Services (AD RMS) Overview |
Related technologies | Active Directory Certificate Services Active Directory Domain Services Active Directory Federation Services Active Directory Lightweight Directory Services Azure Rights Management |