| Event Id | 147 |
| Source | Active Directory Rights Management Services |
| Description | Active Rights Management Services (AD RMS) group membership expansion across forests failed. |
| Event Information | According to Microsoft : Cause : This event is logegd when Active Rights Management Services (AD RMS) group membership expansion across forests failed. Resolution : Check group expansion pipeline URL When Active Directory Rights Management Services (AD RMS) users consume rights-protected content that was not protected in the user account's home forest (the Active Directory forest where the user account resides), the AD RMS cluster will contact the AD RMS cluster in the remote forest (an Active Directory forest with AD RMS installed and an AD RMS trust policy established) by using group expansion. The AD RMS group expansion URL must be valid and the AD RMS service account must have access to the AD RMS group expansion pipeline. Note : To perform these procedures, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority. Ensure that AD RMS group expansion URL is correct To ensure that the AD RMS group expansion URL is correct: 1.Log on to a server in the AD RMS cluster in the home forest using the home cluster's AD RMS service account credentials. 2.Click Start, clickAll Programs, and then clickInternet Explorer. 3.In the address bar, type http(s)://cluster_url/groupexpansion/groupexpansion.asmx where cluster_url is the cluster URL for AD RMS in the remote forest, and then press ENTER. 4.Verify that the GroupExpansionWebService Web Service Web page appears in the browser window. 5.If the GroupExpansion WebService Service Web page does not appear, add the AD RMS service account to the AD RMS cluster group expansion pipeline in the remote forest. Add the AD RMS service account to the cluster group expansion pipeline in the remote forest To add the AD RMS service account to the cluster group expansion pipeline in the remote forest: 1.Log on to an AD RMS server in the remote forest. 2.ClickStart, and then clickComputer. 3.Navigate to the IIS home directory. By default, the path to this directory is %systemdrive%:\inetpub\wwwroot where %systemdrive% is the partition on which Windows is installed. 4.Double-click _wmcs. 5.Double-clickgroupexpansion. 6.Right-clickgroupexpansion.asmx, and then clickProperties. 7.Click theSecurity tab. 8.ClickAdvanced, and then clickEdit. 9.ClickAdd. 10.On the SelectUsers, Computers, or Groups window, type the name of the AD RMS service account and then clickOK. 11.ClickOK and then clickOK again. 12.Repeat steps 1 - 11 for all servers in the AD RMS cluster in the remote forest. Verify : To perform this procedure, you must be a member of the local Users group, or you must have been delegated the appropriate authority. Note: Microsoft Office Word 2007 is used as an example in this section. Any AD RMS-enabled application can be used in place of Word 2007. To verify that AD RMS can access the Active Directory Domain Services forest: 1.Log on to an AD RMS-enabled client computer. 2.ClickStart, point toAll Programs, point toMicrosoft Office, and then click Microsoft Office Word 2007. 3.In the new document typeThis is a test document. 4.Click the Microsoft Office Start Button, point toPrepare, point toRestrict Permissions, and then clickRestricted Access. 5.Select theRestrict permissions to this document check box. 6.Type another AD RMS user's e-mail address in the Read box, and then click OK.. 7.Send this file to the person who was granted access in step 6. 8.Have this person open the document and verify that he or she cannot do anything else other than read the document, such as print it. |
| Reference Links | Event ID 147 from Source Active Directory Rights Management Services |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.