Active Directory Rights Management Services (AD RMS) Group Membership Issue (Partner)


  • Hi All,

    I have an AD RMS infrastructure setup and in production. I am having an issue with group membership of my users. If a user has acquired an RAC before (has used RMS before), if I add the user to any group it is not reflected in AD RMS. Here is an example case:

    User A has acquired an RAC.

    I add User A to Group B.

    User C creates an RMS protected document and grants Group B change rights.

    Rightfully, User A should have change rights to the document. However, the User A does not. I have tried deleting the RAC and re-configuring the user. I have tried logoff and logon and I have tried a reboot. The issue still persists.

    I decided to create a new user in AD named User D. I add User D to Group B. I perform the following use case:

    User D acquires an RAC (uses RAC for the first time).

    User D opens the document created by User C and successfully opens the document and has change rights.

    I tried to reproduce the issue and it is consistent. If a user has already acquired an RAC before being added to a group, the group membership does not reflect in AD RMS. I a user is added to a group before acquiring an RAC for the first time, the group membership reflects in AD RMS.

    This issue is evident with regular AD groups as well as the AD RMS Super User group. The RAC validity is 365 days.

    Any help with this issue is greatly appreciated.


    David Paul Ngo

    • Moved by Tim QuanModerator Wednesday, June 30, 2010 9:06 AM (From:Windows Server 2008 R2 General)
    Monday, June 14, 2010 5:58 AM