Introducing the 2024 PKI & Digital Trust Report     | Download the Report

FIM Service Accounts

FIM requires several service accounts and groups, each with their own configuration requirements. However, there isn’t a single document that I’ve found that lists out all the accounts and the access they need.

This is a compilation of information from various Microsoft articles with information on FIM service accounts.

Full name

User logon name


FIM Service FIMService Required by FIM to run the FIM Portal. If using PCNS, SPNs for this account need to be added. Setspn.exe –S FIMService/fim1CORP\FIMServiceSetspn.exe –S FIMService/ CORP\FIMServiceIf using Kerberos, delegation needs to be enabled.If using PCNS, SPNs also need to be set on this account for that (see section on PCNS below this table.)
FIM Synch Service FIMSyncService Required by FIM to run the FIM Synchronization Service
FIM MA FIMMA Required by FIM to provision and deprovision from the FIM Portal
SharePoint Service SPService SharePoint service accountSetspn.exe –S HTTP/fim1 CORP\SPServiceSetspn.exe –S HTTP/ CORP\SPServiceIf using Kerberos, delegation needs to be enabled.
FIM ADMA FIMADMA Required by FIM to manage objects in Active Directory- Need replicate directory changes permissions- Needs full control on OUs FIM is managing- Needs Organization Management role for Exchange if mailboxes are being provisioned.A full explanation of configuring the ADMA account can be found here:
FIM Installer FIMInstaller Recommended account with administrator rights on FIM servers to install software. This should be a local administrator account on the FIM and SCSM servers. It also needs sysadmin on SQL during installation. If using SCSM, the account also needs local administrator rights on the SQL server. After installation on development, rights can be lowered or the account can be disabled. (Note: during updates, this right may need to be granted while the update is installing.)


Detailed instructions on setting up the FIM Service accounts can be found here:

Detailed information on the SPNs used by FIM can be found here:

One thing to take careful note of is this step:

Note: When the installation is split between two servers, the service account for FIMService (the one that runs the service) should not be configured in the secure matter (deny logon as a batch job, deny logon locally, deny access to this computer from the network) on the server with the synchronization service. FIM Service account should be configured in the secure matter only on the server with FIM Service and Portal.

Password Reset SPNS

If using the password reset portal, set SPNs as follows:

Setspn.exe –S HTTP/ CORP\FIM2$

Setspn.exe –S HTTP/ CORP\FIM2$


To configure the SPN using Setspn.exe

  • At a command-line prompt, type the commands shown by the following syntax:

Setspn.exe -a <user defined named for target FIM Sync server>/<fully qualified domain name of the server running FIM Sync>\<domain\user name of the FIM Sync service account>

For example:

Setspn.exe -a PCNSCLNT/ fab-dev-01\MIISServAccount

The SPN must be unique and cannot appear on any other service account. Otherwise, the Kerberos authentication fails and password change requests are not sent to FIM. If there are multiple SPN, you can delete the superfluous ones as follows:

In ADUC, refresh the domain. Then, making sure “Advanced Features” is turned on under “View”, navigate to “System” then “Password Change Notification Service”. It with show the list of the targets and you can delete the incorrect one.

Using the –s switch with the Setspn.exe helps ensure that no duplicates are created when you are configuring SPNs. This switch sets the spn only after verifying that no duplicates exist.

To verify the SPN setting for MIIS 2003

  1. Log on to each Active Directory domain controller where PCNS was installed with administrative privileges.
  2. At a command prompt, type setspn –L <FIM Sync service account>, and then press ENTER.
  3. Verify that the following SPN is registered for the <FIM Sync service account>: PCNSCLNT\<FIM Sync server host name>

PCNS uses inclusion and exclusion AD groups. These need to be created in Active Directory (only the inclusion group is required, the exclusion group is optional. If a user is in the exclusion group, the password change will not be transmitted even if the user is in the inclusion group).

To configure PCNS, run the configuration utility found in the installation directory of PCNS.

pcnscfg ADDTARGET /N:FIMserver1 / /S:PCNSCLNT/”Domain Users” /FE:”Domain Admins” /F:1 /I:600 /D:False /WL:20 /WI:60


  • FIMSyncAdmins
  • FIMSyncOperators
  • FIMSyncJoiners
  • FIMSyncBrowse
  • FIMSyncPasswordSet
  • PCNS inclusion and exclusion groups

Apart from the PCNS groups, these groups are needed when installing the FIM Service. They can be AD groups or local groups.

The membership needs to be:


– FIMSyncService

– FIM Installer account

FIMInstaller needs to have read access to the OU the groups are in if they are Active Directory groups.

For more information on group configuration and permissions, please see this article:

SCSM Accounts

  • With the release of FIM R2 came a new reporting feature that leverages System Center Service Manager (SCSM).If using this feature, the following accounts will be needed:

SCSM Installer Account

Must be a local admin on the SCSM and SCSMDW server.

Must have rights in SQL to create databases and assign security roles. (We used sysadmin.)

Must be a member of the local Administrators group on the SQL Server.

After installation, the account access can be lowered or the account can be disabled and re-enabled if updates need to be installed.

It is also possible to use the FIM Installer account rather than creating a separate SCSM Installer account.

SCSM Administrators Group

Security group in AD

The Installer account is added to this group automatically.

The group is added to the Service Manager Administrators role automatically.

The group is added to the Data Warehouse Administrators role automatically.

Service Manager Service Account

Domain user

Local admin on the SCSM and SCSMDW server. (Use the same account for both servers.)

After installation becomes the Operational System Account, is assigned to logon account for both System Center Data Access Service and System Center Management Configuration Service.

In SQL, it is added to the sdk_users and configsvc_users database roles on the SCSM and SCSMDW databases becomes a member of the db_datareader role for the DWRepository database.

After installation, becomes the data warehouse run as account, is assigned to the Service Manager SDK account and Service Manager Config account.

Workflow Account

Domain user

Member of the local Users security group.

If email notifications are required, this account must be mail enabled.

Reporting Account

Domain user

Used by SSRS to access the DWDataMart data.

In SQL, it is added to the db_datareader and reportuser roles on the DWDataMart database.