Setting up user accounts for MBAM 2.5

Hi All My name is Mayank sharma and i am technical advisor here at Microsoft. In this blog I am going to discuss some very common issue that we see people encounter while setting up MBAM 2.5; primarily because  MBAM 2.5 is very different with respect to MBAM 2.0 as far as user account goes.

Though there is a TechNet article which lists out all the requirements  but few has found it little too confusing. So thought of sorting it out now.

the simplest way to start off is to get two user accounts one with read and write privileges and second with read only privileges. this can be a user or a group; i prefer group so that we can add or delete MBAM administrators if someone joins in or leaves the company. Lets name the group now:

a. RW- A group that will hold read write privileges over the database; don't worry you dont have to give the permissions manually.

b. RO- a Group that will have a read only privileges over the domain account.

Reporting services:

Under reporting services, we have two fields:

"Name of the domain group whose members have read-only access to the reports in the Administration and Monitoring Website." and "Domain user account and password that the local SQL Server Reporting Services instance uses to access the Compliance and Audit Database."

they both are meant for two totally different usages however the permissions they need are identical in every sense. i.e. read permissions on databases, so let's create users for these,

c. R-AW (reports for administration website) add this user in group RO.

d. R-SSRS(reports to be usede by SSRS) add this user in group RO.


For administration website:

this is relatively straight forward: create three groups.

e. MBAM-A-HELPDESK - A group for MBAM for  advanced helpdesk users.

f. MBAM-HELPDESK - A group for MBAM for helpdesk users.

g. MBAM-report - A group for report user.


Now Create  a user for web service account; this is a user which will be used by MBAM to authenticate and communicate on behalf of the MBAM server. you must configure the constrain delegation for this user account to ensure it is working, in a nutshell you will need to set the SPN so that this user can use http services on behalf of the IIS server. Lets call this User MBAMPOOL.


h. Add MBAMPOOL to RW group.

And this is pretty much it... So lets start the installation, Always start with the installation with the database servers,

For Database server:

        1. Compliance and Audit Database and Recovery Database read/write user or group for reports Should be RW

        2.  Compliance and Audit Database read-only user or group for reports should be RO.


for reporting roles:

  1. Reports read-only domain access group should be R-AW.
  2. Compliance and Audit Database domain user account should be R-SSRS.


For MBAM administration services

  1. Web service application pool domain account should be MBAMPOOL.
  2. 2.      MBAM Advanced Helpdesk Users access group should be MBAM-A-HELPDESK
  3. MBAM Helpdesk Users access group should be MBAM-HELPDESK.      
  4. 4.      MBAM Report Users access group should be MBAM-reports.

Hope you'll find the information useful and will subscribe to this blog. Thank you for reading! 

Comments (16)

  1. @Sanjit Sorry I don’t think i understand your point correctly, If you meant "Domain user account and password that the local SQL Server Reporting Services instance uses to access the Compliance and Audit Database" then all you need to do is to ensure that
    under SSRS you add this user/group under reporting service configuration manager. Since administrators are by default designated to make changes to reports; adding this user to administrators on the server kinds of resolves this problem but this is not a required

    great point though 🙂

  2. Thank you for the feedback!

  3. @heyvoon Can you try giving the group name something other than # and then see if it works? I don’t think this is related to name as it takes SID of the group at the back and i can confirm in MBAM 2.0 you can rename it to anything you want after they are
    created. In any case this is more a directory services permission issue than MBAM 2.5.

  4. Heyvoon says:

    I am experiencing an issue with MBAM-HELPDESK inheriting users of another group where this other group name starts with a "#" sign. I don’t know if it has anything to do with the group name having the # sign or not. But MBAM-HELPDESK is NOT inheriting
    these users. Thus NOT giving them Helpdesk permission.

  5. MBAM User says:

    Excellent post as it clearly defined the permissions required for the MBAM 2.5. Thank you as it helped me get through a SQL Server Reporting Server report error as it was missing the permission required.

  6. JJ says:

    Thnks for this. Found it useful.

  7. Kiran A says:

    Awesome Post , Thank You!!!

  8. Sanjit Hayer says:

    Great post – one point to add is that the Compliance and Audit database domain account must be a member of the local admin group on the server – other wise you will get an error message.


  9. It will be good if we can find out the scope details of security group in here i.e. Domain Local, Global or Universal

  10. ginger says:

    I have some difficult to add feature, I always get " the SPN account ( configured with wrong account, it must configured correctly for MBAM funtion

  11. Ginger, says:

    can you list setspn -L mbamapppool account and share the output?

  12. paul says:

    I am losing my mind. I have been troubleshooting this for some time. I have almost everything working. I have an admin account that i have been testing with, and I admit that I have granted that account rights everywhere at this point. It still has not
    fixed the issue. Here is the problem.
    When I access the MBAM page: http://servername/helpdesk, i get prompted for logon. I log on and see 4 options on the left. "System Overview", "Reports", "Drive Recovery" and "Manage TPM". I click on "Reports" button and then click on "Enterprise Compliance
    Report" and I get the error: "REPORTING SERVICES ERROR – The permissions granted to the user Domainuser are insufficient for performing this operation (rsAccessDenied)".

    However, this EXACT user can start up the Reporting Services Configuration Manager and drill down to and run all the reports through both the "Web Service URL" and the "Report Manager URL".
    The user is a member of all the groups at this point.
    Can you shed any light on this error? I see nothing about it on the Web. I have tried loggin in to IE with a regular user who is only a member of the Adv HD group as well. They get the same error.


  13. paul says:

    One more comment. If you are using the MBAM Server Configuration tool and you use the wizard, when you try to use the user "R-AW" as suggested, the wizard generates an error because it wants a GROUP not a USER.

  14. Hello Paul, the user whuch cannot see the reports- is he a member of reporing group inside MBAM?

  15. Erik says:

    I am having trouble with MBAM 2.5. The data in the Compliance reports is not refreshing. I do see the data if I look within SQL

  16. sylvain says:


    i have exactly the same problem as Paul…
    A user which is member of the correct groups & SRS roles is able to use the report when is loging directly on http://localhost/reports but – he get a a rsAccessDenied when i try to use the report from the /helpdesk/ portal…..
    Do you you now what could be a way to fix it ???


Skip to main content