locked
User can't access CRM after recreate AD account and upgrade to CRM 2013 RRS feed

  • Question

  • Hello,

    We have few CRM users have same issue. This is our scenario:

    We have a CRM user whose user name is: domain\username1, who left company one year ago then came back half year ago(let's see May 01, 2014). Unfortunately, his account was deleted in AD and disabled in CRM when he left. A new account with same name was re-created in AD and enabled in CRM when he came back. And everything seems working with CRM 2011 until we upgrade to CRM 2013 recently. He can't access to CRM anymore with this user name: domain\username1. Then we went to database and found there are two record associated to this user in table 'SystemUserBase', which is understandable. We found there are different 'ActivityDirectoryGuid', one was created on two years ago, the other was created on May of this year. 

    We tried to replace the old ActivityDirectoryGuid with the new one, and tried switch to a dummy AD account and switch back. We tried all we can, but none of them works.

    Here are some help links we found, but none of them works.

    http://quantusdynamics.blogspot.ca/2013/03/dynamics-crm-2011-recover-deleted.html

    https://community.dynamics.com/crm/b/marcellotonarelli/archive/2013/12/04/re-create-your-deleted-ad-user-account-which-is-using-in-microsoft-dynamics-crm.aspx

    https://www.salentica.com/enabling-a-crm-user-after-their-ad-account-has-been-deleted-and-re-created/

    Any ideas will appreciated.

    Thanks.

    Friday, September 26, 2014 4:53 PM

All replies

  • mscrm_config database stores the unique spid of a user records. So when you recreate the user, the spid changes in ad.

    have you tried activating the user, changing his domain logon name to another user who does not exist in CRM and then changing it back to the original user?

    regards

    Jithesh

    Saturday, September 27, 2014 1:13 AM
  • Yes. I tried it as well with no luck.
    Monday, September 29, 2014 3:07 PM
  • You will need to discuss a proper plan with the business, and whoever manages AD and let them know that they should only disable AD users who have CRM user records. Then you disable the CRM user records in CRM.

    FYI, if the user record is disabled in CRM, and the AD account deleted, the disabled CRM user record cannot be reactivated through the CRM UI  so it can be re-associated to another AD account (However, the user record can be re-enabled through direct modification of the database but this is not supported).  In this situation a likely solution would have been during some down time to disable and then delete the organization from the CRM Deployment Manager, and then re-import it.  Then at the point of user mapping, manually map the user that was deleted.  This would have allowed you to link the original CRM user record to the new AD record, and updated the config database as well.  This would have prevented the second user record from being created.

    To resolve the issue with the second CRM user record, you will need to contact Microsoft Tech Support.  It will require a supported SQL Query to clean up both the config and org database to remove the old user record.  You should also reassign all records the old user record owns in CRM prior to running their script.  Microsoft may also require you to go through professional services for this type of request because of the nature of this unique request, and the fact that it will require a SQL query to be built for you and tested prior delivering it to you.

    The reason you will need to go through Microsoft is because it will require a direct modification of the database.  If you do this yourself, your database will be unsupported by Microsoft, which is a bad position to put yourself or business into.  The Microsoft query will ensure that any related tables are not harmed or overlooked since there are a lot of related tables with CRM.


    Jason Peterson

    Monday, September 29, 2014 3:58 PM
  • Thanks, Jason.

    I know all these are coming from AD staff's bad practice. I've already informed them to disable AD account instead of deleting.

    Thanks for the suggestion to address this issue. I'll give it a try and might need contact Microsoft support if necessary.

    Thanks.

    Tuesday, September 30, 2014 3:46 PM