Setting up user accounts for MBAM 2.5

Hi All My name is Mayank sharma and i am technical advisor here at Microsoft. In this blog I am going to discuss some very common issue that we see people encounter while setting up MBAM 2.5; primarily because MBAM 2.5 is very different with respect to MBAM 2.0 as far as user account goes.

Though there is a TechNet article which lists out all the requirements https://technet.microsoft.com/en-us/library/dn645328.aspx but few has found it little too confusing. So thought of sorting it out now.

the simplest way to start off is to get two user accounts one with read and write privileges and second with read only privileges. this can be a user or a group; i prefer group so that we can add or delete MBAM administrators if someone joins in or leaves the company. Lets name the group now:

a. RW- A group that will hold read write privileges over the database; don't worry you dont have to give the permissions manually.

b. RO- a Group that will have a read only privileges over the domain account.

Reporting services:

Under reporting services, we have two fields:

"Name of the domain group whose members have read-only access to the reports in the Administration and Monitoring Website." and "Domain user account and password that the local SQL Server Reporting Services instance uses to access the Compliance and Audit Database."

they both are meant for two totally different usages however the permissions they need are identical in every sense. i.e. read permissions on databases, so let's create users for these,

c. R-AW (reports for administration website) add this user in group RO.

d. R-SSRS(reports to be usede by SSRS) add this user in group RO.

 

For administration website:

this is relatively straight forward: create three groups.

e. MBAM-A-HELPDESK - A group for MBAM for advanced helpdesk users.

f. MBAM-HELPDESK - A group for MBAM for helpdesk users.

g. MBAM-report - A group for report user.

 

Now Create a user for web service account; this is a user which will be used by MBAM to authenticate and communicate on behalf of the MBAM server. you must configure the constrain delegation for this user account to ensure it is working, in a nutshell you will need to set the SPN so that this user can use http services on behalf of the IIS server. Lets call this User MBAMPOOL.

 

h. Add MBAMPOOL to RW group.

And this is pretty much it... So lets start the installation, Always start with the installation with the database servers,

For Database server:

        1. Compliance and Audit Database and Recovery Database read/write user or group for reports Should be RW

        2. Compliance and Audit Database read-only user or group for reports should be RO.

 

for reporting roles:

  1. Reports read-only domain access group should be R-AW.
  2. Compliance and Audit Database domain user account should be R-SSRS.

For MBAM administration services

  1. Web service application pool domain account should be MBAMPOOL.
  2. 2. MBAM Advanced Helpdesk Users access group should be MBAM-A-HELPDESK
  3. MBAM Helpdesk Users access group should be MBAM-HELPDESK.      
  4. 4. MBAM Report Users access group should be MBAM-reports.

Hope you'll find the information useful and will subscribe to this blog. Thank you for reading!