locked
Assign new AD Groups RRS feed

  • Question

  • I would like to know if it is possible to create new AD groups and use them in CRM.  What I am referring to are the following AD groups CRM creates:

    PrivReportingGroup
    PrivUserGroup
    ReportingGroup
    SQLAccessGroup
    UserGroup

    The issue that I am running into is that on a quarterly basis our company backs up the production CRM database, PROD_MSCRM, and restores it as UAT_MSCRM for use in UAT.  Once this DB is restored I go through the list of users and disable all users that are not part of our UAT team.  Unfortunately, disabling the non-UAT team members causes their AD account to be removed from the ReportingGroup and UserGroup, since the restored DB is pointing to the same AD groups our production system is using.  Now I can restore users AD accounts to those groups by going into the production server then locate the accounts then disable and finally enable the account again; however, this is time consuming and has the risk of missing users. 

    What I would like to do is create new AD groups for our UAT tenant and then point UAT to those AD groups each time prod is restored into UAT_MSCRM.  Is this possible?  If it is where can I locate instructions on how to go about accomplishing this?

    Tuesday, February 15, 2011 4:09 PM

Answers

  • The AD groups necessarily apply per CRM deployment. I don't think there is any way to apply different AD groups for different organisations on the same deployment.

    How about this as an alternative: rather than disable the non-UAT users in the UAT organisation, just remove their security roles. This will prevent them from being able to access this organisation, but will leave their AD group membership intact


    Microsoft CRM MVP - http://mscrmuk.blogspot.com  http://www.excitation.co.uk
    • Marked as answer by Eric.W.Cahoon Tuesday, February 15, 2011 4:39 PM
    Tuesday, February 15, 2011 4:26 PM
    Moderator

All replies

  • The AD groups necessarily apply per CRM deployment. I don't think there is any way to apply different AD groups for different organisations on the same deployment.

    How about this as an alternative: rather than disable the non-UAT users in the UAT organisation, just remove their security roles. This will prevent them from being able to access this organisation, but will leave their AD group membership intact


    Microsoft CRM MVP - http://mscrmuk.blogspot.com  http://www.excitation.co.uk
    • Marked as answer by Eric.W.Cahoon Tuesday, February 15, 2011 4:39 PM
    Tuesday, February 15, 2011 4:26 PM
    Moderator
  • Ah, as always KISS saves the day.  My mind and no one else on the team even thought of revoking access by removing security roles form the user's accounts. Thank you David for providing an even simpler solution.

    Tuesday, February 15, 2011 4:35 PM
  • Whenever you will restore the Database it will over write the old security group. You can disable the non UAT Team by selecting them together and changing there business unit. They will lose their security roles and will not have access to UAT.

    I think you can also do a redeployment of Production server with serperate security groups in AD. When you will restore DB next time it will over write the security roles in the DB but previous groups will remain in SQL Security. You can add these groups to the newly restored DB and remove the unwanted groups. No tested but it should work.

     


    Regards Faisal
    Tuesday, February 15, 2011 4:53 PM