Endpoint Insights
ConfigMgr 2012 R2, SSRS and Windows Authorization Access Group
Garth JonesThis blog post shows you how to add your execution or computer account to the Windows Authorization Access Group (Active Directory (AD) security group). Why? In order for Configuration Manager 2012 R2 (CM12 R2) to use the Role-Based Administration (RBA) feature within SQL Server Reporting Services (SSRS), the SSRS execution account (EA) needs to be able to determine who is running the report. Then the EA will determine what CM12 rights the user has before displaying the report results. In some cases after upgrading to CM12 R2 or one of its Cumulative Updates (CU), when you run an SSRS report you may receive the error message below.
The DefaultValue expression for the report parameter ‘UserTokenSIDs’ contains an error: The specified directory service attribute or value does not exist.
The solution to this problem is to add your execution or computer account to the Windows Authorization Access Group (Active Directory (AD) security group).
Use the following steps to perform this task.
Open Active Directory Users and Computers (ADUC), and browse to the Builtin container. Double-click on the Windows Authorization Access Group.
Click the Members tab.
Click Add…
Add your execution account and click OK twice to return back to the ADUC.
From this point forward your Configuration Manager 2012 R2 SSRS account will be able to read the access token from AD and therefore RBA reports will work correctly.
If you have any questions about how to add your execution or computer account to the Windows Authorization Access Group, please contact me at @GarthMJ or leave a note below.
