Share via


Add the Federation Mailbox to the AD RMS Super Users Group

 

Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

For the following Microsoft Exchange Server 2010 Information Rights Management (IRM) features to be enabled, you must add the Federation mailbox (a system mailbox created by Exchange 2010 Setup) to the super users group on your organization's Active Directory Rights Management Services (AD RMS) cluster:

  • IRM in Microsoft Office Outlook Web App

  • Journal report decryption

  • Transport decryption

You can configure a mail-enabled distribution group as a super users group in AD RMS. Members of the distribution group are granted an owner use license when they request a license from the AD RMS cluster. This allows them to decrypt all RMS-protected content published by that cluster. Whether you use an existing distribution group or create a distribution group and configure it as the super users group in AD RMS, we recommend that you dedicate the distribution group for this purpose and configure the appropriate settings to approve, audit, and monitor membership changes.

Note

If a super users group is already configured on an AD RMS cluster, any modifications to the distribution group membership can take up to 24 hours to be refreshed by the AD RMS cluster. This is a result of caching the group membership on the cluster.

Looking for other management tasks related to IRM? Check out Managing Information Rights Management.

Prerequisites

An AD RMS cluster is deployed in the Active Directory forest.

Use the Shell to add the Federation mailbox to a distribution group

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Distribution groups" entry in the Mailbox Permissions topic.

If a distribution group has been created and configured as a super users group in the AD RMS cluster, you can add the Exchange 2010 Federation mailbox as a member of that group. If a super users group isn't configured, you must create a distribution group and add the Federation mailbox as a member.

  1. Create a distribution group dedicated for use as an AD RMS super users group. For details, see Create a Distribution Group.

  2. Add the user FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042 to the new distribution group. The Federation mailbox is a system mailbox, and therefore not visible in the EMC. To add it to a distribution group, you must use the Add-DistributionGroupMember cmdlet from the Shell.

    This example adds the Federation mailbox to the ADRMSSuperUsers distribution group.

    Add-DistributionGroupMember ADRMSSuperUsers -Member FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042
    

For detailed syntax and parameter information, see Add-DistributionGroupMember.

Use AD RMS to set up a super users group

Perform the following procedure on an AD RMS cluster. The account used to perform this procedure must be a member of the AD RMS Enterprise Administrators local group on the AD RMS server.

  1. Open the Active Directory Rights Management Services console and expand the AD RMS cluster.

  2. In the console tree, expand Security Policies, and then click Super Users.

  3. In the action pane, click Enable Super Users.

  4. In the result pane, click Change Super User Group to open the Super Users property sheet.

  5. In the Super user group box, type the e-mail address of the distribution group you created in the previous procedure, or click Browse to select a distribution group.

Other Tasks

After you add the Federation mailbox to the AD RMS super users group, you may also want to:

 © 2010 Microsoft Corporation. All rights reserved.