AD RMS and Group Expansion

We get occasional questions from customers about AD RMS and group expansion across forests. The following are a few links that can help answer your questions concerning group expansion:

  • The topic Deploying RMS Across Forests contains a thorough explanation of how AD RMS works in a multiple-forest environment: “RMS uses Active Directory to identify users and distribution groups. When an organization’s Active Directory deployment includes multiple forests, RMS uses contact objects to obtain the identities of users and groups that are part of a different forest than the RMS server.”
  • The topic Release Notes for Windows Rights Management Services with Service Pack 2 contains a brief description of the group expansion functionality available in Windows RMS SP2: “…group expansion across forests facilitates the ability for RMS to expand Active Directory Universal group membership in a different forest where group memberships are not replicated between two forests…”
  • Jason Tyler, a senior support engineer, has a post on his blog called Troubleshooting your RMS Server and Group Membership: “The only time that I usually will get on an RMS server to track things down (once it is setup and provisioned), is when I get a call from someone who says 'I am sending this RMS/IRM protected message to a group, and people in the group cannot open the message'.”