Cross Forest SuperUsers - How it's done.
Heres the scenario:
You have two forests we will call ForestA and ForestB.
You have an RMS server in each forest, and a two way trust setup between forests.
You have a group of users in both forests that need to be able to be SuperUsers in both organizations.
Solution:
You can only assign an AD group in the forest where RMS resides as the SuperUsers group.
Create a Universal Group in ForestA and fillout the mail attribute rmssupers@forestA.com - Assign users in forest A to this group.
Assign the superUsers option in RMS to rmssupers@forestA.com
Create a Universal Group in ForestB and fillout the mail attribute rmssupers@forestB.com - Assign users in forest B to this group.
Assign the SuperUsers option in RMS to rmssupers@forestB.com
In ForestA create a contact object, and give it the mail attribute of rmssupers@forestB.com, and set the MsExchOriginatingForest attribute to forestB.com - put this contact object in the members of the rmssupers@forestA.com group.
In ForestB create a contact object, and give it the mail attribute of rmssupers@forestA.com, and set the MsExchOriginatingForest attribute to forestAcom - put this contact object in the members of the rmssupers@forestA.com group.
If a superuser in forestB tries to open content that was sent from ForestA, the RMS server will iterate through the superusers group, find the contact object, see that it belongs to forestB, go ask the RMS server in forestB if the user requesting access is a member of the group the contact object is pointed to (which should return true), and allow the user from forestB to open content as a superUser.
Now say that 10 times fast.
-Jason