Troubleshooting AD RMS just got easier!

Microsoft has released public previews of two Rights Management Services Diagnostic Tools.

These tools diagnose settings, configurations and behavior of your Active Directory Rights Management Services (AD RMS) infrastructure. There are two tools, one for RMS Client and one for RMS Server.

The tools are very small, only about 200 kb each. That do not require installation and can be downloaded here:

This is what the RMS Client Diagnostic app looks like (see below for Server screenshots):


I ran diagnostics on my test client and you can see that I have some issues with Intranet Sites:


Clicking on Fix it in the left menu and then the View Operations button it displays what will be done if I choose to click Fix It Now.


When I did click Fix It Now, the fix succeed:


Running the diagnostics again shows no error this time:


You can also use this tool to reset the cached RMS-related files on tour client, even if no errors were found. Note that this action will not make you lose access to any RMS protected data, it only means that the next time RMS is used on the client you will be automatically bootstrapped (get a fresh set of user certificates and templates):




This is what the RMS Server Diagnostic app looks like:


By clicking Server in the left menu you get information about my RMS Server installation:


By running Diagnostics, RMS server related tests are performed. I got a warning that a group email address was not found my current account:


Clicking Templates enables me to download published RMS templates. I can expand each of them to get more detailed information. Here I have expanded the FTE – Edit and print template:


On the Membership menu you can quickly check if a user is member of an RMS enabled group or not. This can help troubleshoot users that cannot open documents they believe they should have access to:

The user Klara is not a member of the TeamHelix group:


  The user Max however is a member of the TeamHelix group:


I hope you will find these tools useful.

Update 2015-05-13

There is a new version of this tool, read more about it here:

In the new version the Membership page has been updated to also include checking membership of Templates:


About Tom Aafloen

IT Security Advisor @ Onevinn
This entry was posted in Rights Management Services, RMS and tagged , , . Bookmark the permalink.

4 Responses to Troubleshooting AD RMS just got easier!

  1. Dylan Nicholson says:

    Does this work for Azure RMS? Is source code available? Thanks!

    • Tom Aafloen says:

      No, not with Azure RMS at the moment, but it will most likely do that before long. I’ll try to remember to comment here if/when it does.
      I’ll look into the source code question, but my guess is that it will stay proprietary.

      • Dylan Nicholson says:

        Ok, just that I haven’t figured out how to get it to work for my own application, following steps as per here:
        In particular it doesn’t seem to matter what I put in the IPC_CREDENTIAL_SYMMETRIC_KEY structure I either get “the user hasn’t been authenticated” or “parameter is incorrect”.

  2. Pingback: Rights Management Services Analyzer Tool – updated | Microsoft Security Solutions

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s