locked
Install without adding the CRM computer object to PrivUser and SQLAccess RRS feed

  • Question

  • I am attempting to do a command-line AutoGroupManagementOff="true" (pre-configured AD groups) installation without adding the computer object of the CRM server to the PrivUser and SQLAccess group.  I was told by the AD administrator that they cannot add computer objects to groups.

    So far I have not been able to get this to work.

    Wednesday, January 25, 2012 7:56 PM

All replies

  • Hi Edgewaters,

    Apparently the AD administrator has given you an incorrect answer.

    You can Add computer objects into "Security Groups" you can't add Computer objects to "Distribution Groups".

    The user running the CRM installation needs permissions to create objects in AD, CRM creates the groups automatically, ask your AD admin to give you an OU in AD. I strongly recommend you read the Dynamics CRM implementation Guide:

    CRM 4.0 - http://www.microsoft.com/download/en/details.aspx?id=8162
    CRM 2011 - http://www.microsoft.com/download/en/details.aspx?id=3621

    Don't spend time trying to install CRM wihtout adding the Computers objects to the groups, tell your AD Admin that is incorrect and you give him the CRM installation Guide.

    Regards

    Nuno


    Visit my blog for CRM material, improving performance, kerberos, IFD, development tips, etc. :) http://quantusdynamics.blogspot.com
    • Proposed as answer by nrodriEditor Thursday, January 26, 2012 9:13 AM
    Wednesday, January 25, 2012 8:08 PM
    Answerer
  • It was an organizational policy...I was not suggesting that the AD wouldn't allow the operation.

     

    From what I have seen in the minimum permission guides require the ASP.Net process model identity to be in those groups, so I was thinking it may be able to change the process model to a domain account and add it to the group.  I have had success with that approach when running the SSRS with a domain account and adding it to the PrivReportingGroup.

     

    The installer does not need to have OU create permissions if the groups are pre-created.

    Wednesday, January 25, 2012 9:24 PM
  • Okay Good luck.

    First time I see someone stopping AD from doing what was designed to do.

    Regarding your OU comment:

    [quote]ask your AD admin to give you an OU in AD[/quote]


    Visit my blog for CRM material, improving performance, kerberos, IFD, development tips, etc. :) http://quantusdynamics.blogspot.com
    Thursday, January 26, 2012 9:12 AM
    Answerer