Active Directory Best Practices for Legacy user data RRS feed

  • Question

  • I'm wondering what other people are doing to maintain data history in CRM when users/employees leave an organization? Is it necessary to maintain the AD user account for CRM users that have been disabled and will not require re-activation in the future? Should the AD accounts remain active, or should they be deactivated or deleted as part of regular AD maintenance activities?

    There are a couple of different scenarios that I'm interested in hearing about on how other people have handled Active Directory maintenance.

    1. A user has created or modified records in CRM and leaves the organization, but you want to maintain that user history. Re-assigning those events to other current users in not an option. The user record is deactivated in CRM. What happens if that user record is subsequently deleted in Active Directory as part of AD maintenance? Will CRM choke?

    2. Data is fed in to CRM from another legacy database. Some of that data has created or modified records for users that no longer have AD accounts (were deleted years ago). Since CRM is 100% reliant on AD, I assume that the AD account will need to be re-created in order to successfully feed the data in to CRM. Once the data is fed over, I assume the answer to my first question would then apply. The user could be deactivated in CRM (so as to not eat up a license), but what about the AD account? Does it need to remain? Can it be deactivated or deleted?

    Interested to hear how others are managing CRM legacy data in conjunction with a best practice approach to managing AD.

    Would love to hear Microsoft's suggested approach on this one if possible. I haven't found any documentation related to CRM + AD maintenance.



    Wednesday, September 19, 2012 4:25 AM

All replies

  • Hi Dave,

    That is a very good question. Based on my experience:

      • This will depend from company-to-company regarding re-assigning data to other users and for how long to retain historical data etc. If users are deleted from AD, This will not cause direct issues in CRM and if you need the account re-created and linked again with the same user, there are workarounds that can do this quite easily, so CRM will not choke if it can't find the AD GUID, it will only look for this when a user is logged on.
      •  If you are importing data and you are populating a user-lookup-field what it matters during this process is the CRM GUID. The AD accounts can be deleted or deactivated, as I mention on point 1. there is a workaround on how to link an account with a new AD account.

    The AD <-> CRM integration I believe is purely based on authentication basis, and when an account is created in CRM a new GUID is generated which is CRM-specific and that's why CRM can be very flexible with regards to AD objects.

    Hope this helps

    Visit my blog for CRM material, improving performance, kerberos, IFD, development tips, etc. :) http://quantusdynamics.blogspot.com

    Wednesday, September 19, 2012 8:45 AM