none
Can i remove the account which i used to install AD RMS server from local administrator group on AD RMS Server RRS feed

  • Question

  • I used my own account to run installation for AD RMS. I used another service account while configuring AD RMS.Now everything is working. Can i remove my own account from the local administrator group on AD RMS server and Enterprise admin group. My account will be a normal user account once i do that. I tried removing my account from local admin group on AD RMS server and i was getting an error not able to recover data on server manager.Also i was not able to see the templates on the shared folder via any user pc. Anyone has any idea on this? Please help asap.
    Monday, November 17, 2014 1:56 AM

All replies

  • Hi,

    Let me try to explain things here. If you wanted to regiester SCP, you had to install ADRMS uisng installation account which has Enterprise Administrator rights (which by default has local admin rights on RMS server) . You also needed permissions on SQL DB to create RMS DBs using your installation account. 

    You should install ADRMS and duirng setup you should setup a service account which is different than your installation account (I hope you did that..)

    After installation you should be able to remove your installation acount without ADRMS affection from all groups : Enterprise Administrators, Local Administrators and AD RMS Enterprise Administrators group. However, if you need another account to manage ADRMS - you should add such account to AD RMS Enterprise Admins (local group) and Local Admins(also local group) and optionally SysAdmins group on SQL server. If this account account is not in Local Admins group (nor AD RMS Enterprise Administrators) you will be receiving errors regarding server manager or ADRMS console.

    If you installed ADRMS using your installation account as your service account (you can check this by checking under which account ADRMS pool is running in IIS) it is highly recommended you change it! If you need to change ADRMS service account, make sure you do this throught ADRMS console (not throught IIS)!

    If it comes to the shared folder - check ACLs :)


    Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.

    Thursday, November 20, 2014 6:45 PM
  • Hi,

    Let me try to explain things here. If you wanted to regiester SCP, you had to install ADRMS uisng installation account which has Enterprise Administrator rights (which by default has local admin rights on RMS server) . You also needed permissions on SQL DB to create RMS DBs using your installation account. 

    You should install ADRMS and duirng setup you should setup a service account which is different than your installation account (I hope you did that..)

    After installation you should be able to remove your installation acount without ADRMS affection from all groups : Enterprise Administrators, Local Administrators and AD RMS Enterprise Administrators group. However, if you need another account to manage ADRMS - you should add such account to AD RMS Enterprise Admins (local group) and Local Admins(also local group) and optionally SysAdmins group on SQL server. If this account account is not in Local Admins group (nor AD RMS Enterprise Administrators) you will be receiving errors regarding server manager or ADRMS console.

    If you installed ADRMS using your installation account as your service account (you can check this by checking under which account ADRMS pool is running in IIS) it is highly recommended you change it! If you need to change ADRMS service account, make sure you do this throught ADRMS console (not throught IIS)!

    If it comes to the shared folder - check ACLs :)


    Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.

    However, if you need another account to manage ADRMS - you should add such account to AD RMS Enterprise Admins (local group) and Local Admins(also local group) and optionally SysAdmins group on SQL server. - The above group Membership is in ADRMS server not on the ADDS am I Correct?
    Tuesday, October 6, 2015 6:15 PM
  • Hi Velmurukan,

    Yes, those are local groups (except SysAdmins permissions on SQL server - it's SQL permission). You may want to create ADDS group and add them to the corresponding local groups and effectively use ADDS groups.


    Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.

    Sunday, November 15, 2015 8:25 PM