locked
What Account Actually Makes changes to the AD security groups RRS feed

  • Question

  • If one installs Microsoft CRM 4.0 with autogroupmanagementoff=false, and allows CRM to create the 5 Active Directory Keys (privUserGroup, etc), what account is actually used to change AD? CRMAppPool runs as Network Service, which doesn't seem to have permission to change these values, so what does? 

    Friday, April 30, 2010 2:42 PM

Answers

  • Hi Nick,

    When an administrator adds a new user to crm that new user will go into one of those groups.  The credentials of the logged on administrator adding the user is used to add the user to the ad group. 


    Alex Fagundes - www.PowerObjects.com
    • Marked as answer by nickpeterson Friday, April 30, 2010 4:11 PM
    Friday, April 30, 2010 2:49 PM
  • It is the account that the CrmAppPool runs under. Note that anything running under the Network Service account will use the machine account when connecting to any other machines
    Microsoft CRM MVP - http://mscrmuk.blogspot.com  http://www.excitation.co.uk
    • Marked as answer by nickpeterson Friday, April 30, 2010 4:11 PM
    Friday, April 30, 2010 2:50 PM
    Moderator

All replies

  • Hi Nick,

    When an administrator adds a new user to crm that new user will go into one of those groups.  The credentials of the logged on administrator adding the user is used to add the user to the ad group. 


    Alex Fagundes - www.PowerObjects.com
    • Marked as answer by nickpeterson Friday, April 30, 2010 4:11 PM
    Friday, April 30, 2010 2:49 PM
  • It is the account that the CrmAppPool runs under. Note that anything running under the Network Service account will use the machine account when connecting to any other machines
    Microsoft CRM MVP - http://mscrmuk.blogspot.com  http://www.excitation.co.uk
    • Marked as answer by nickpeterson Friday, April 30, 2010 4:11 PM
    Friday, April 30, 2010 2:50 PM
    Moderator
  • So, if you have an Account that is the CRM administrator, and you add a user from AD, set their role as an administrator. When CrmAppPool uses NetworkService, if the newly created admin adds a user, Active Directory actually sees the request as a request from the newly created admin's account? So essentially, when you assign a user the role of admin, are they given the permissions in AD automatically to create child objects in whichever OU CRM lives in?
    Friday, April 30, 2010 2:54 PM