Planning for MBAM 1.0 Administrator Roles
This topic includes and describes the administrator roles that are available in Microsoft BitLocker Administration and Monitoring (MBAM), as well as the server locations where the local groups are created.
MBAM Administrator roles
MBAM System Administrators
Administrators in this role have access to all MBAM features. The local group for this role is installed on the Administration and Monitoring Server.
MBAM Hardware Users
Administrators in this role have access to the Hardware Capability features from MBAM. The local group for this role is installed on the Administration and Monitoring Server.
MBAM Helpdesk Users
Administrators in this role have access to the Helpdesk features from MBAM. The local group for this role is installed on the Administration and Monitoring Server.
MBAM Report Users
Administrators in this role have access to the Compliance and Audit Reports feature from MBAM. The local group for this role is installed on the Administration and Monitoring Server, Compliance and Audit Database, and on the server that hosts the Compliance and Audit Reports.
MBAM Advanced Helpdesk Users
Administrators in this role have increased access to the Helpdesk features from MBAM. The local group for this role is installed on the Administration and Monitoring Server. If a user is a member of both MBAM Helpdesk Users and MBAM Advanced Helpdesk Users, the MBAM Advanced Helpdesk Users permissions will overwrite the MBAM Helpdesk User permissions.
Important To view the reports, an administrative user must be a member of the MBAM Report Users security group on the Administration and Monitoring Server, Compliance and Audit Database, and on the server that hosts the Compliance and Reports feature. As a best practice, create a security group in Active Directory with rights on the local MBAM Report Users security group on both the Administration and Monitoring Server and on the server that hosts the Compliance and Reports.