none
Installing Reporting Server Extension for CRM2011 gives AD Group PrivReportingGroup Error

    Question

  • Hi

     

    We have sucessfully managed to install the CRM 2011 application on to our environment using the minimum access criteria. But when we tried to install the Reproting services Extension, we are running into an PrivReportingGroup Error.

     

    The error description is as follows:

    ActiveDirectoryRightsValidator.Failure.Groups PrivReportingGroup

     

    Environment and backgroun:

    We are using windows server 2008 for the application server and another windows 2008 server with SQL 2008 R2 and reporting services on the same box. I am the installing user and we have pre-created the 4 groups. I am added to all the 4 groups. In addition I am a local admin on the SQL server, sysadmin on the SQL instance as well as a content manager on the reporting services. The SQL server machine name is also added to the PrivReportingGroup.

     

    How can I install the Reproting services extension with the limited access rights - without asking for create/write rights on the PrivReportingGroup or domain admin rights. This will not simply be granted. Also it is not possible to ask a Domain Admin to install this. Any help in working around with the minimum access rights and getting the reports to work (including getting the out of box reports) would be helpful.

     

    Thanks and Regards

    Ani

    Monday, 7 March, 2011 6:12 PM

Answers

  • Hi

    A small clarification. You do not need to add app server box or sql server box to privreportinggroup. Please remove them if you added them as suggested by Jamie.

    The problem that you are facing seems to be from the fact that you or the user running the Reporting Extensions setup is not having the required access on the PrivReportingGroup being used by the deployment. We require the user running the setup to have the following rights on the group:

    1. Read/Write access to member attribute of the group.

    2. Read/Write access to nTSecurityDescriptor attribute of the group.

    3. Right to change the security descriptor of the group.

    Make sure that you have these rights.

    if you are unable to get this working, you can turn off the Auto Group Management in the setup by using the configuration file. You would need to set the AutoGroupManagementOff option in the configuration file to true as described here. Once you are done with installing the Reporting Extensions using this method, you would need to manually add the AD account under which SRS is running to PrivUserGroup and PrivReportingGroup groups that your deployment is using.

    HTH, let me know if you still face issues.

    Thanks

     


    Abhishek Agarwal MSFT
    Tuesday, 8 March, 2011 8:56 AM

All replies

  • Make sure your app server box and sql server computers are part of the privreportinggroup in Active Directory.
    Jamie Miley
    Monday, 7 March, 2011 6:41 PM
  • Hi Jamie

     

    I have sent the request to the AD admin for adding the App server box to the privreportinggroup. SQL server and Reporting services are on the same box.

    Monday, 7 March, 2011 10:51 PM
  • Hi

    A small clarification. You do not need to add app server box or sql server box to privreportinggroup. Please remove them if you added them as suggested by Jamie.

    The problem that you are facing seems to be from the fact that you or the user running the Reporting Extensions setup is not having the required access on the PrivReportingGroup being used by the deployment. We require the user running the setup to have the following rights on the group:

    1. Read/Write access to member attribute of the group.

    2. Read/Write access to nTSecurityDescriptor attribute of the group.

    3. Right to change the security descriptor of the group.

    Make sure that you have these rights.

    if you are unable to get this working, you can turn off the Auto Group Management in the setup by using the configuration file. You would need to set the AutoGroupManagementOff option in the configuration file to true as described here. Once you are done with installing the Reporting Extensions using this method, you would need to manually add the AD account under which SRS is running to PrivUserGroup and PrivReportingGroup groups that your deployment is using.

    HTH, let me know if you still face issues.

    Thanks

     


    Abhishek Agarwal MSFT
    Tuesday, 8 March, 2011 8:56 AM
  • Hi Abhishek

     

    Giving permissions to the Groups is not possible, as this is a corporate installation.

     

    Using the config file for installing the reporting extensions worked - I had somehow missed the flag for Autogroupmanagmentoff.

    This allowed me to install the reporting services extension. This also created all the out of box reports.

    I have added the service account for the SQL / Reporting Service (they are running the same account on the same box) to the PrivReportingGroup as is mentioned in http://technet.microsoft.com/en-us/library/gg554829.aspx

    But when i try to execute the reports, I am getting a "Report cannot be displayed (rsProcessingAborted)" error.

     

    Pls note, as per your instructions, the reporting services service account has been added to the PrivReportingGroup. It is not added to the PrivUserGroup (as this is not mentioned in the documentation http://technet.microsoft.com/en-us/library/gg554829.aspx). Is this the cause of the problem?

     

    Thanks in Advance

    Ani

     

    Tuesday, 8 March, 2011 8:30 PM
  • Hi

     

    Adding the service account to the PrivUserGroup solved the issue of rsProcessingAborted. Just took a bit of time for our Domain Admin group to make the change.

     

    This is not noted in the documentation for the installing the Reproting Extensions (http://technet.microsoft.com/en-us/library/gg554829.aspx).

    Thanks to Abhishek for this price of information.

     

    Tuesday, 8 March, 2011 9:56 PM
  • Hi

    A small clarification. You do not need to add app server box or sql server box to privreportinggroup. Please remove them if you added them as suggested by Jamie.

    The problem that you are facing seems to be from the fact that you or the user running the Reporting Extensions setup is not having the required access on the PrivReportingGroup being used by the deployment. We require the user running the setup to have the following rights on the group:

    1. Read/Write access to member attribute of the group.

    2. Read/Write access to nTSecurityDescriptor attribute of the group.

    3. Right to change the security descriptor of the group.

    Make sure that you have these rights.

    if you are unable to get this working, you can turn off the Auto Group Management in the setup by using the configuration file. You would need to set the AutoGroupManagementOff option in the configuration file to true as described here. Once you are done with installing the Reporting Extensions using this method, you would need to manually add the AD account under which SRS is running to PrivUserGroup and PrivReportingGroup groups that your deployment is using.

    HTH, let me know if you still face issues.

    Thanks

     


    Abhishek Agarwal MSFT

    Can someone give some guidance as to how these #1,2, and 3 rights are given? I don't them specifically in the properties of the privreportinggroup.

    I came across the  ActiveDirectoryRightsValidator.Failure.Groups PrivReportingGroup error running reporting extensions setup.

    The setup user is local admin of the server and sysadmin of reporting services. The account is also a member of the privreportinggroup. Can you please help with how to give necessary rights for install?

    Many thanks.

    • Edited by AdmiralConsulting Wednesday, 16 May, 2012 6:45 PM
    • Proposed as answer by junior49 Monday, 31 December, 2012 9:24 AM
    Wednesday, 16 May, 2012 6:38 PM
  • Hi

    I came across the same problem 'ActiveDirectoryRightsValidator.Failure.Groups PrivReportingGroup error running reporting extensions setup' . if you install the Reporting extensions with the same account used to install CRM 2011. it works fine .

    Monday, 31 December, 2012 9:32 AM
  • Hi I have the same issue. The only difference is that my SQL Server and my SSRS Server are not running on the same box. I have using the CRM install account but still no luck.
    Thursday, 14 February, 2013 10:12 PM