http://blogs.msdn.com/rms/archive/tags/Windows+Server+R2+features/default.aspxTags: Windows Server R2 featuresen-USCommunityServer 2.1 SP1 (Build: 61025.2)http://blogs.msdn.com/rms/archive/2009/06/09/group-expansion-for-federated-users.aspxTue, 09 Jun 2009 20:56:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:9716799tonytri0http://blogs.msdn.com/rms/comments/9716799.aspxhttp://blogs.msdn.com/rms/commentrss.aspx?PostID=9716799http://blogs.msdn.com/rms/rsscomments.aspx?PostID=9716799<P>[<STRONG>Note -</STRONG>&nbsp;This post assumes the reader is familiar with terms such as <A href="http://msdn.microsoft.com/en-us/library/cc530453(VS.85).aspx" mce_href="http://msdn.microsoft.com/en-us/library/cc530453(VS.85).aspx">issuance license</A>, <A href="http://technet.microsoft.com/en-us/library/cc731599(WS.10).aspx" mce_href="http://technet.microsoft.com/en-us/library/cc731599(WS.10).aspx">rights-policy templates</A>, and <A href="http://technet.microsoft.com/en-us/library/cc755156(WS.10).aspx" mce_href="http://technet.microsoft.com/en-us/library/cc755156(WS.10).aspx">AD RMS trust policies</A> (federated trust).&nbsp; In summary, an issuance license represents the usage policy for a piece of content and contains a list of authorized users and usage rights assigned to each&nbsp;user. Rights-policy templates are used to control the rights that a user or group has on a particular piece of rights-protected content.&nbsp;Federated trust refers to using Active Directory Federation Services to establish trust between two forests.</P> <P>This blog post references Windows Server 2008 R2. The release candidate for Windows Server 2008 R2 can be downloaded at <A href="http://www.microsoft.com/">www.microsoft.com</A>. Please see the <A href="http://technet.microsoft.com/en-us/library/cc771425(WS.10).aspx" mce_href="http://technet.microsoft.com/en-us/library/cc771425(WS.10).aspx">AD RMS with AD FS Identity Federation Step-by-Step Guide</A> to&nbsp;learn how to configure an AD RMS server to work with <A href="http://technet.microsoft.com/en-us/library/dd391937(WS.10).aspx" mce_href="http://technet.microsoft.com/en-us/library/dd391937(WS.10).aspx">Active Directory Federation Services (ADFS)</A>.]</P> <P>AD RMS in Windows Server 2008 R2 can support groups that contain external, federated users. In Windows Server 2008, federated users&nbsp;had to be individually named in the issuance license or individually added to an AD RMS rights-policy template. Now, because group expansion for federated users is supported, it is possible to add&nbsp;federated users to a group and create protected content specifically for the group. This can be accomplished by creating a contact object for the federated users in Active Directory,&nbsp;in the forest where&nbsp;the AD RMS server is located, and adding that contact object to the group where you want to include the federated users. </P> <P>Here’s an example:<BR>Contoso&nbsp;has AD RMS and a group called TopSecretProj@Contoso.com.&nbsp;Contoso has decided to collaborate with Fabrikam. Usr01@Fabrikam.com&nbsp;must&nbsp;access all content that is shared&nbsp;with&nbsp;the TopSecretProj@Contoso.com group.&nbsp; The IT administrator in&nbsp;Contoso can create a contact object for Usr01@Fabrikam.com in Active Directory&nbsp;and add the new contact object as a member of TopSecretProj@Contoso.com.&nbsp; <BR>As long as you have identity federation support configured and enabled between the two companies, <A href="mailto:Usr01@Fabrikam.com">Usr01@Fabrikam.com</A>&nbsp;has access to all the content published for <A href="mailto:TopSecretProj@Contoso.com">TopSecretProj@Contoso.com</A>.</P> <P><IMG style="WIDTH: 718px; HEIGHT: 590px" src="http://7hcazq.blu.livefilestore.com/y1pjn0lR52a-7cUauqLpkAMN4X0r7B27g3JOWgLBfatMVjWfiLBt9GvnoeNmbtNV837cKOr2Pr3nH4DAz3jKkyvrQVV8u7ebGCK/sunitha_graphic.jpg" width=718 height=590 mce_src="http://7hcazq.blu.livefilestore.com/y1pjn0lR52a-7cUauqLpkAMN4X0r7B27g3JOWgLBfatMVjWfiLBt9GvnoeNmbtNV837cKOr2Pr3nH4DAz3jKkyvrQVV8u7ebGCK/sunitha_graphic.jpg"></P> <P>Sunitha Samuel,&nbsp;Lead Software Design Engineer in Test</P> <P mce_keep="true">&nbsp;</P><img src="http://blogs.msdn.com/aggbug.aspx?PostID=9716799" width="1" height="1">AD RMSWindows Server R2 features