locked
User Login Issues - CRM 4.0 "The Specified user is either disabled or is not a member of any business unit" RRS feed

  • Question

  • I have about 100 users who all have a respective business unit and roles, each user has been granted a custom role as well as a role that I created that was one of the out of the box roles. I often get support messages where users are getting an error that states "The Specified user is either disabled or is not a member of any business unit". I then verify the users business unit and roles and they are correct. Usually to fix them immediately I simply reassign their business unit to the parent business unit then grant roles and the user can then access CRM.

    Any ideas?

    Monday, May 10, 2010 6:39 PM

Answers

  • Hi sixty4,

    I saw this problem if user had a custom security role and it wasn't configure properly. Check mainly Business Managment tab.

    Here you have a article about mininum rights for a security roles.

    http://www.orbitone.com/en/blog/archive/2009/10/06/minimum-dynamics-crm-permissions.aspx


    My Dynamics CRM Blog: http://bovoweb.blogspot.com
    Monday, May 17, 2010 9:50 AM
  • Best Practice for creating new Security Roles is to copy an existing role that was included in the original CRM installation and then tweak the role to meet the secuirty needs.  It might be worth your time to go through the installation and take this step for any security role that you created from scratch.  It will probably save you and your users a lot of time moving forward.

    It is challenging to find all the required minimum settings when creating a new security.


    Regards, Donna

            Windows Live Blog

    Tuesday, May 18, 2010 1:35 PM

All replies

  • Hi sixty4,

    I saw this problem if user had a custom security role and it wasn't configure properly. Check mainly Business Managment tab.

    Here you have a article about mininum rights for a security roles.

    http://www.orbitone.com/en/blog/archive/2009/10/06/minimum-dynamics-crm-permissions.aspx


    My Dynamics CRM Blog: http://bovoweb.blogspot.com
    Monday, May 17, 2010 9:50 AM
  • Best Practice for creating new Security Roles is to copy an existing role that was included in the original CRM installation and then tweak the role to meet the secuirty needs.  It might be worth your time to go through the installation and take this step for any security role that you created from scratch.  It will probably save you and your users a lot of time moving forward.

    It is challenging to find all the required minimum settings when creating a new security.


    Regards, Donna

            Windows Live Blog

    Tuesday, May 18, 2010 1:35 PM
  • I checked his role , and change it for a test with sys admin role.

    I can create the entity from new ... but I can't create it using an aspx page in isv

    When I use this link, which works for other user :

    http://crmserv:5555/ISV/Ascentium/CreateClientFromOpportunity.aspx?orgname=CRM_account&userlcid=1033&orglcid=1033&type=3&{4AA064F1-ABEC-DF11-B622-005056AE151B}

    I've an error :

    Error Description:

    The specified user is either disabled or is not a member of any business unit.


    Error Details:

    The specified user is either disabled or is not a member of any business unit.


    Full Stack:

    [CrmException: The specified user is either disabled or is not a member of any business unit.]
     at Microsoft.Crm.BusinessEntities.SecurityLibrary.CheckDisabledStatus(IUser user, IOrganizationContext context)
     at Microsoft.Crm.BusinessEntities.SecurityLibrary.GetUserInfoInternal(WindowsIdentity identity, IOrganizationContext context, UserAuth& userInfo)
     at Microsoft.Crm.BusinessEntities.SecurityLibrary.GetCallerAndBusinessGuidsFromThread(WindowsIdentity identity, Guid organizationId)
     at Microsoft.Crm.Authentication.CrmWindowsIdentity..ctor(WindowsIdentity innerIdentity, Boolean publishCrmUser, Guid organizationId)
     at Microsoft.Crm.Authentication.WindowAuthenticationProviderBase.Authenticate(HttpApplication application)
     at Microsoft.Crm.Authentication.AuthenticationStep.Authenticate(HttpApplication application)
     at Microsoft.Crm.Authentication.AuthenticationPipeline.Authenticate(HttpApplication application)
     at Microsoft.Crm.Authentication.AuthenticationEngine.Execute(Object sender, EventArgs e)
     at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
     at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
    
    

    Other Message:

    Error Number: 0x80040225

    Source File: Not available

    Line Number: Not available

    Other information : this is a test environment. I'm testing with an user which as been disabled in the active directory, and activated again for test, I've apply in the active directory the same group as another active user.

    Thanks so much for your help

    Wednesday, November 10, 2010 9:34 AM
  • If i trace one user who is working and this one which doesn't work :

     

    Working :


    >MapOrgEngine: Retreived the OrgId[{00000000-0000-0000-0000-000000000000}] for URL[http://vmt-crm4g:5555/ISV/Ascentium/CreateTreatmentCaseFromProfile.aspx?orgname=AlexionPharmaceuticalsInc&userlcid=1033&orglcid=1033&type=3&typename=opportunity&id={4174014F-ECEB-DF11-B622-005056AE151B}].
    [2010-11-10 05:24:40.5] Process: w3wp |Organization:00000000-0000-0000-0000-000000000000 |Thread:   10 |Category: Platform |User: 00000000-0000-0000-0000-000000000000 |Level: Verbose | SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute
     at SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
     at HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
     at ApplicationStepManager.ResumeSteps(Exception error)
     at HttpApplication.System.Web.IHttpAsyncHandler.BeginProcessRequest(HttpContext context, AsyncCallback cb, Object extraData)
     at HttpRuntime.ProcessRequestInternal(HttpWorkerRequest wr)
     at HttpRuntime.ProcessRequestNoDemand(HttpWorkerRequest wr)
     at ISAPIRuntime.ProcessRequest(IntPtr ecb, Int32 iWRType)
    >AUTH: Request [GET http://...:5555/ISV/Ascentium/CreateClientFromOpportunity.aspx?orgname=CRM_Account=1033&orglcid=1033&type=3&typename=opportunity&id={4174014F-ECEB-DF11-B622-005056AE151B}] entered Authentication Pipeline.
    [2010-11-10 05:24:40.5] Process: w3wp |Organization:00000000-0000-0000-0000-000000000000 |Thread:   10 |Category: Platform |User: 00000000-0000-0000-0000-000000000000 |Level: Verbose | AuthenticationPipeline.Authenticate
     at AuthenticationPipeline.Authenticate(HttpApplication application)

     

    Not Working


    >MapOrgEngine: Retreived the OrgId[{00000000-0000-0000-0000-000000000000}] for URL[http://vmt-crm4g:5555/_root/Blank.aspx].
    [2010-11-10 05:19:27.6] Process: w3wp |Organization:00000000-0000-0000-0000-000000000000 |Thread:   19 |Category: Platform |User: 00000000-0000-0000-0000-000000000000 |Level: Verbose | SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute
     at SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
     at HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
     at ApplicationStepManager.ResumeSteps(Exception error)
     at HttpApplication.System.Web.IHttpAsyncHandler.BeginProcessRequest(HttpContext context, AsyncCallback cb, Object extraData)
     at HttpRuntime.ProcessRequestInternal(HttpWorkerRequest wr)
     at HttpRuntime.ProcessRequestNoDemand(HttpWorkerRequest wr)
     at ISAPIRuntime.ProcessRequest(IntPtr ecb, Int32 iWRType)
    >AUTH: Request [GET http://...:5555/_root/Blank.aspx] entered Authentication Pipeline.
    [2010-11-10 05:19:27.6] Process: w3wp |Organization:00000000-0000-0000-0000-000000000000 |Thread:   19 |Category: Platform |User: 00000000-0000-0000-0000-000000000000 |Level: Verbose | AuthenticationPipeline.Authenticate
     at AuthenticationPipeline.Authenticate(HttpApplication application)

     

    Wednesday, November 10, 2010 12:40 PM
  • It looks like my user don't have access to isv folder.

    I check security role for this user, but there is no link with that, because I tested with sys admin role and I have the same error. But myself who is sys admin don't have this error, it's like the user is not a member of a active directory group or ....?

    Do you know what can I check?

    Wednesday, November 10, 2010 12:50 PM
  • Another last information, this issue seems to appear just for very old users ...

    Wednesday, November 10, 2010 3:09 PM