locked
CRM 2011 Active Directory Security Groups vs Minimum Permissions Required RRS feed

  • Question

  •  

    I need help to figure the following 

     

    As per TechNet: 

    "The user account used to run Microsoft Dynamics CRM Server Setup requires the following minimum permissions:

    [...]

    - Have organization and security group creation permission in Active Directory directory service. "

     

    I understand that the installation user account will be able to create the 4 security groups in Active Directory, under the specified Organizational Unit. Fine. 

     

    As per the Microsoft documentation, the ReportingGroup must contain "All Microsoft Dynamics CRM users are included in this group. This group is updated automatically as users are added and removed from Microsoft Dynamics CRM. "

     

    How CRM can add users to the ReportingGroup if only the installation user account was granted the 'organization and security group creation permission in Active Directory'

     

    Please help me clarify this! 

     

    Thanks! 

     

    Maxime 

     

     


    Wednesday, July 6, 2011 3:41 PM

Answers

  • The CRM application pool account is the one that maintains the membership of the ReportingGroup. This account is a member of the SQLAccessGroup, and looking at a couple of CRM implementations, the SQLAccessGroup has explicit permission to modify the membership of the ReportingGroup, which I expect was granted during the CRM installation process
    Microsoft CRM MVP - http://mscrmuk.blogspot.com  http://www.excitation.co.uk
    • Marked as answer by Jim Glass Jr Monday, July 11, 2011 3:59 PM
    Monday, July 11, 2011 2:48 PM
    Moderator

All replies

  • The platform uses the context of that elevated user for those operations.
    Jamie Miley
    Check out my about.me profile!
    http://mileyja.blogspot.com
    Linked-In Profile
    Follow Me on Twitter!
    Wednesday, July 6, 2011 4:13 PM
    Moderator
  • Hi

    Please see this blog for details on installing MS CRM with pre-configured AD groups:

    http://xrmadventures.wordpress.com/2011/03/31/microsoft-crm-2011-application-install-with-pre-created-ad-groups/

    Thanks and Regards

    AniMandal

    Wednesday, July 6, 2011 6:53 PM
  • Hi Jamie,

    Thank you for taking the time to read my thread. 

    Could you please give me more details on how this is accomplished? 

    That would indicate that the installation user account must be enabled at all time? 

     

    Sorry AniMandal but thats not the information I'm looking for. 

     

    Maxime 

     

    Wednesday, July 6, 2011 7:24 PM
  • I am not finding any info on people having problems with this with some Google searching.  I would make sure you have at least one other system administrator that is also a deployment administrator for CRM though.  You need to go into deployment manager on the CRM server to see who is a deployment admin, and you also need to be a deployment admin to use deployment manager.

    If you find you have a problem with CRM after disabling the user in CRM you can always go right into the database using SA and manually toggle the IsDisabled flag in the CRM database in the systemuserbase table.

    So I guess I would just test disabling the user in CRM first before disabling them in active directory.

    Make sense?


    Jamie Miley
    Check out my about.me profile!
    http://mileyja.blogspot.com
    Linked-In Profile
    Follow Me on Twitter!
    Wednesday, July 6, 2011 8:00 PM
    Moderator
  • I don't know :P 

    I would have thought that the CRM App Pool Identity (The Domain User Account specified to run the App Pool) would be the credentials used to manage the groups, but since this account does not have any additionnal permissions in AD, it cannot manage group memberships. So... which account is used? 

    Honestly, I dont have any issues with any of my (many) deployments. I never had to disable the setup user or never had an expired account. I'm just trying to figure out how it works under the cover. 

    Maxime 

    Wednesday, July 6, 2011 8:10 PM
  • Maybe someone from the Microsoft Dynamics CRM team could add info on this one? 
    Thursday, July 7, 2011 12:11 PM
  • I don't think it's the app pool security account.  I would maybe look at the account some of the processes on the server for CRM are running under.
    Jamie Miley
    Check out my about.me profile!
    http://mileyja.blogspot.com
    Linked-In Profile
    Follow Me on Twitter!
    Thursday, July 7, 2011 2:27 PM
    Moderator
  • The CRM application pool account is the one that maintains the membership of the ReportingGroup. This account is a member of the SQLAccessGroup, and looking at a couple of CRM implementations, the SQLAccessGroup has explicit permission to modify the membership of the ReportingGroup, which I expect was granted during the CRM installation process
    Microsoft CRM MVP - http://mscrmuk.blogspot.com  http://www.excitation.co.uk
    • Marked as answer by Jim Glass Jr Monday, July 11, 2011 3:59 PM
    Monday, July 11, 2011 2:48 PM
    Moderator
  • By any chance, do you know any Office or Outlook 2010 policies that need to be tweaked at the GPO level?  If we turn off our Office 2010 policy that has been set up, CRM 2011 works fine with Office 2010.  Thought I would ask, before we modify our admin template this week.  Any suggestions would greatly be appreciated!

    Thanks!

    Tuesday, July 12, 2011 5:35 PM