During the installation of FIM, you are required to specify a FIM management agent account.

There is no need to make this account an administrator on your FIM server.

In other words, it is sufficient to use a regular user account. v The FIM setup process grants all rights that are necessary to access the FIM service to this account.

When you configure your FIM management agent, you need to specify this account in the "connect to Database" section:


The account must be the same as the one you have specified during the installation of FIM:

During the installation, FIM stores next to name also the account's SID.

When you delete this account and create a new one with the same name, it is technically not the same account because the new account has a different SID.

By using PowerShell to do a FIM MA account configuration quick test, you can:

  1. Retrieve the name of the account that was specified during setup
  2. Verify that FIM has still the right SID for this account



You should run this script to do a sanity check before configuring a FIM management agent.


If you are running into issues in conjunction with your FIM MA account after you have already configured your FIM management agent, you can test your configuration by using PowerShell to test the FIM management agent account.

This script reads the account configuration specified during setup and compares it with the configuration of your FIM management agent.

If your FIM service is running on a domain controller, the FIM MA account must be granted the right to logon locally.

When running this script, you are asked to specify the password of the account.

This is necessary because the script also verifies whether logon locally has been granted to your FIM MA account:


If the current MA account is not the same as the one you have currently configured, the script indicates this with the following error message:

FIM MA Account Test
  -Reading registry configuration
  -FIM MA account name: CDHU\fim_ma
  -FIM MA account SID : S-1-5-21-717229978-1245646637-2206649778-1126
  -Reading MA configuration
Error: Registry configuration and FIM MA configuration for MA account don't match!

The error indicates that your FIM MA account is not the same as the account you have specified during the installation of FIM.

If you are running into a FIM management agent account related issue, please do not try to solve this issue by tweaking security settings or making the account an administrator on your FIM computer.

The most efficient way to solve this is issue is usually to create a new user account and to configure your FIM system to use this account.

You can update your FIM account configuration by running setup in "Change" mode.   

To do so, select the "Forefront Identity Manager Service and Portal" from "Control Panel\Programs and Features", and then click "Change" to start setup:



For more details about the FIM MA account, see the FIM Installation Guide.