Your network contains an Active Directory domain. The domain contains an Active Directory Rights Management Services (AD RMS) cluster and a certification authority (CA).
You need to ensure that all the documents that are protected by using AD RMS can be decrypted if the account used to encrypt the documents is deleted.
What should you do?
A. Configure super users in the AD RMS deployment.
B. Manually configure the AD RMS cluster key password.
C. Back up the AD-RMS -protected files by using Windows Server Backup.
D. Configure key archival on the CA.
109iven answer A is correct.
https://technet.microsoft.com/zh-tw/library/ee849845(v=ws.10).aspx
The Active Directory Rights Management Services (AD RMS) super user group is a special group that has full control over all rights-protected content managed by the cluster. Its members are granted full owner rights in all use licenses that are issued by the AD RMS cluster on which the super users group is configured.
This means that members of this group can decrypt any rights-protected content file and remove rights-protection from it.
Lab testing has confirmed that no matter the original encryptor’s account status is active, disabled or even deleted, member of super users group could decrypt documents secured by an encryptor unconditionally.