Setting up user accounts for MBAM 2.5

Hi All My name is Mayank sharma and i am technical advisor here at Microsoft. In this blog I am going to discuss some very common issue that we see people encounter while setting up MBAM 2.5; primarily because MBAM 2.5 is very different with respect to MBAM 2.0 as far as user account goes.

Though there is a TechNet article which lists out all the requirements https://technet.microsoft.com/en-us/library/dn645328.aspx but few has found it little too confusing. So thought of sorting it out now.

the simplest way to start off is to get two user accounts one with read and write privileges and second with read only privileges. this can be a user or a group; i prefer group so that we can add or delete MBAM administrators if someone joins in or leaves the company. Lets name the group now:

a. RW- A group that will hold read write privileges over the database; don't worry you dont have to give the permissions manually.

b. RO- a Group that will have a read only privileges over the domain account.

Reporting services:

Under reporting services, we have two fields:

"Name of the domain group whose members have read-only access to the reports in the Administration and Monitoring Website." and "Domain user account and password that the local SQL Server Reporting Services instance uses to access the Compliance and Audit Database."

they both are meant for two totally different usages however the permissions they need are identical in every sense. i.e. read permissions on databases, so let's create users for these,

c. R-AW (reports for administration website) add this user in group RO.

d. R-SSRS(reports to be usede by SSRS) add this user in group RO.

 

For administration website:

this is relatively straight forward: create three groups.

e. MBAM-A-HELPDESK - A group for MBAM for advanced helpdesk users.

f. MBAM-HELPDESK - A group for MBAM for helpdesk users.

g. MBAM-report - A group for report user.

 

Now Create a user for web service account; this is a user which will be used by MBAM to authenticate and communicate on behalf of the MBAM server. you must configure the constrain delegation for this user account to ensure it is working, in a nutshell you will need to set the SPN so that this user can use http services on behalf of the IIS server. Lets call this User MBAMPOOL.

 

h. Add MBAMPOOL to RW group.

And this is pretty much it... So lets start the installation, Always start with the installation with the database servers,

For Database server:

        1. Compliance and Audit Database and Recovery Database read/write user or group for reports Should be RW

        2. Compliance and Audit Database read-only user or group for reports should be RO.

 

for reporting roles:

  1. Reports read-only domain access group should be R-AW.
  2. Compliance and Audit Database domain user account should be R-SSRS.

For MBAM administration services

  1. Web service application pool domain account should be MBAMPOOL.
  2. 2. MBAM Advanced Helpdesk Users access group should be MBAM-A-HELPDESK
  3. MBAM Helpdesk Users access group should be MBAM-HELPDESK.      
  4. 4. MBAM Report Users access group should be MBAM-reports.

Hope you'll find the information useful and will subscribe to this blog. Thank you for reading!

Comments

  • Anonymous
    January 01, 2003
    @Sanjit Sorry I don't think i understand your point correctly, If you meant "Domain user account and password that the local SQL Server Reporting Services instance uses to access the Compliance and Audit Database" then all you need to do is to ensure that under SSRS you add this user/group under reporting service configuration manager. Since administrators are by default designated to make changes to reports; adding this user to administrators on the server kinds of resolves this problem but this is not a required permission.

    great point though :)
  • Anonymous
    January 01, 2003
    Thank you for the feedback!
  • Anonymous
    January 01, 2003
    @heyvoon Can you try giving the group name something other than # and then see if it works? I don't think this is related to name as it takes SID of the group at the back and i can confirm in MBAM 2.0 you can rename it to anything you want after they are created. In any case this is more a directory services permission issue than MBAM 2.5.
  • Anonymous
    January 01, 2003
    I am experiencing an issue with MBAM-HELPDESK inheriting users of another group where this other group name starts with a "#" sign. I don't know if it has anything to do with the group name having the # sign or not. But MBAM-HELPDESK is NOT inheriting these users. Thus NOT giving them Helpdesk permission.
  • Anonymous
    November 03, 2014
    Excellent post as it clearly defined the permissions required for the MBAM 2.5. Thank you as it helped me get through a SQL Server Reporting Server report error as it was missing the permission required.
  • Anonymous
    November 06, 2014
    Thnks for this. Found it useful.
  • Anonymous
    November 26, 2014
    Awesome Post , Thank You!!!
  • Anonymous
    November 27, 2014
    Great post - one point to add is that the Compliance and Audit database domain account must be a member of the local admin group on the server - other wise you will get an error message.

    Thanks
  • Anonymous
    January 06, 2015
    It will be good if we can find out the scope details of security group in here i.e. Domain Local, Global or Universal
  • Anonymous
    August 20, 2015
    I have some difficult to add feature, I always get " the SPN account (servername.domainName.com)is configured with wrong account, it must configured correctly for MBAM funtion
  • Anonymous
    September 16, 2015
    can you list setspn -L mbamapppool account and share the output?
  • Anonymous
    September 17, 2015
    I am losing my mind. I have been troubleshooting this for some time. I have almost everything working. I have an admin account that i have been testing with, and I admit that I have granted that account rights everywhere at this point. It still has not fixed the issue. Here is the problem.
    When I access the MBAM page: http://servername/helpdesk, i get prompted for logon. I log on and see 4 options on the left. "System Overview", "Reports", "Drive Recovery" and "Manage TPM". I click on "Reports" button and then click on "Enterprise Compliance Report" and I get the error: "REPORTING SERVICES ERROR - The permissions granted to the user Domainuser are insufficient for performing this operation (rsAccessDenied)".

    However, this EXACT user can start up the Reporting Services Configuration Manager and drill down to and run all the reports through both the "Web Service URL" and the "Report Manager URL".
    The user is a member of all the groups at this point.
    Can you shed any light on this error? I see nothing about it on the Web. I have tried loggin in to IE with a regular user who is only a member of the Adv HD group as well. They get the same error.

    Thanks
    Paul
  • Anonymous
    September 18, 2015
    One more comment. If you are using the MBAM Server Configuration tool and you use the wizard, when you try to use the user "R-AW" as suggested, the wizard generates an error because it wants a GROUP not a USER.
  • Anonymous
    November 15, 2015
    Hello Paul, the user whuch cannot see the reports- is he a member of reporing group inside MBAM?
  • Anonymous
    December 18, 2015
    I am having trouble with MBAM 2.5. The data in the Compliance reports is not refreshing. I do see the data if I look within SQL
  • Anonymous
    June 09, 2016
    Hello,i have exactly the same problem as Paul...A user which is member of the correct groups & SRS roles is able to use the report when is loging directly on http://localhost/reports but - he get a a rsAccessDenied when i try to use the report from the /helpdesk/ portal.....Do you you now what could be a way to fix it ???Sylvain