We had a similar situation. We use a local account on the host to allow the monitoring system to login and grab metrics. Before, we'd just put the user in the readonly group when we created the user. The work-around -- which may or may not suit your needs -- was to create the user without a group, then pop over to the Permissions tab and grant the 'Read-only' role to that new user. The difference is just that we're not using the group membership to make it read-only, we're setting the permissions on the user itself.
Hope this helps.
