How to clear AD RMS super user group membership cache

Active Directory Rights Management Services (AD RMS) is an information protection technology. One of the areas in which AD RMS becomes useful is that preventing leakage of sensitive information that goes through Exchange Server in the company. You can also use AD RMS individually to protect Office documents or with SharePoint Server to control your sites.

AD RMS protects the information (documents, emails etc) by encrypting them, In order to decrypt an AD RMS protected content, you need licenses. Only the super user group is granted to get licenses. You can set this user group from Security Policies container in AD RMS management tool.

Super user group in AD RMS
Super user group in AD RMS

Change of this group takes effect after 24 hours because server caches the membership list of this group locally to avoid too many requests to AD domain controller. If you don’t want to wait for 24 hours, follow the steps below:

  1. Log in to AD RMS SQL Server
  2. Open SQL Server Management Studio
  3. Right click on PrincipalIdentifiers table in DRMS_DirectoryServices and choose Edit rows
  4. Change the expiration dates to a past time

    Editing PrincipalIdentifiers table
    PrincipalIdentifiers table
  5. Apply the steps 3 and 4 for the table GroupIdentifiers in the same database

    GroupIdentifiers table
    GroupIdentifiers table
  6. Restart IIS in AD RMS server

3 thoughts on “How to clear AD RMS super user group membership cache

  1. Random fact, but I hope you’re aware that the SuperUsers have access to every file. Everybody in your domain can acquire a license for the documents they are authorised for, superuser can acquire license for any file… Don’t put any users in there 😉

    1. Good catch! However, we need to use superuser group for Exchange – AD RMS integration. It is good idea to put a user that isn’t belong to any real users in this group

Leave a Reply