locked
Change default AD groups used by CRM 4.0 RRS feed

  • Question

  • I'm a novice in supporting CRM from an infrastructure point of view, and need some help with a config question, if you can spare the time.
     
    Currently we have CRM 4.0 installed in domain A. During installation, CRM autocreated AD groups also in domain A (UserGroup, SQLAccessGroup, ReportingGroup). Users are in domain B and are being added using a webinterface in CRM, this works just fine. There is a full trust between the two domains.
     
    We are changing our AD structure to use nested groups across child domains, so we need to make some changes to the setup, please see below for a summary of the situation:
     
    Currently: User accounts (domain B) are members of CRM AD group (domain A)
    Future: User accounts (domain B) are members of AD group (domain B) who is a member of CRM AD group (domain A)
     
    Where do we change the setup so that CRM will use the new groups in domain B instead of the default groups in domain A?
     
    (Making the new groups in domain B members of the existing groups in domain A will not work, as the webinterface to add CRM users will continue to add the user account to the AD groups in domain A.)

    Best regards,
    Kenneth
    Wednesday, November 18, 2009 9:45 AM

Answers

  • The only supported way to change the groups is to reinstall CRM after installation. It may be necessary to use an XML configuration file for the install which specifies the groups to use.

    Something to consider is that you could keep the existing CRM AD group in domain A, but manually manage membership by adding the users to the group in domain B. To do this, you can stop CRM adding users directly to the group in domain A by creating a DWORD registry value, AutoGroupManagementOff , with a value of 1 in  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM on the CRM server(s)


    Microsoft CRM MVP - http://mscrmuk.blogspot.com  http://www.excitation.co.uk
    Wednesday, November 18, 2009 12:32 PM
    Moderator

All replies

  • The only supported way to change the groups is to reinstall CRM after installation. It may be necessary to use an XML configuration file for the install which specifies the groups to use.

    Something to consider is that you could keep the existing CRM AD group in domain A, but manually manage membership by adding the users to the group in domain B. To do this, you can stop CRM adding users directly to the group in domain A by creating a DWORD registry value, AutoGroupManagementOff , with a value of 1 in  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM on the CRM server(s)


    Microsoft CRM MVP - http://mscrmuk.blogspot.com  http://www.excitation.co.uk
    Wednesday, November 18, 2009 12:32 PM
    Moderator

  • Something to consider is that you could keep the existing CRM AD group in domain A, but manually manage membership by adding the users to the group in domain B. To do this, you can stop CRM adding users directly to the group in domain A by creating a DWORD registry value, AutoGroupManagementOff , with a value of 1 in  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM on the CRM server(s)


    Thanks David, your reply was very helpful.

    This is actually a multi tenancy installation, so I suspect this option would be the best going forward, as we will also have users from domain C and D coming in - and they would have to be in separate AD groups in their local domain - and I guess CRM will only use one set of AD groups per server.

    Regards
    Kenneth
    Thursday, November 19, 2009 1:56 PM