locked
Adding CRM user not in AD RRS feed

  • Question

  • We are migrating from MS CRM 4.0 to MS CRM 2011 (on premise)

    Rather than a straight upgrade we are taking the opportunity to clean up the data, remove unwanted customisation and change the SQL collation while migrating to a new system.

    To migrate rather than upgrade we need to create all CRM users (disabled and enabled) so the we can be sure that we correctly represent the data from MS CRM 4.0; for example a disabled user may have been involved in a meeting so we need to create them in the new system, create the appointment then disable the user.

    Because some of the CRM users have been disabled for over 6 months they no longer have an AD account on the domain; this is preventing us from creating the users in the new MS CRM 2011.

    The access management team here are not happy about creating all of the disabled users in AD just so we can create the new users in CRM; even though we can shut them down straight afterwards.

    As far as I know you must have the User in AD but I wanted to confirm this before I go any further.

    Can you advise of another method of adding user in to CRM without an AD entry so the data integrity is maintained?

    Thursday, January 5, 2012 3:08 PM

Answers

  • Ultimately, ever CRM user record has to be mapped to a unique AD account, and this AD account has to exist in AD at the time of user creation. Any variation from this is definitely unsupported, and risks data integrity issues.

    Your safest option will be to have a set of dummy AD accounts created, and create the disabled CRM users mapped to these AD accounts. I believe the AD accounts can be disabled at the time that the CRM user is created, so there are no security implications


    Microsoft CRM MVP - http://mscrmuk.blogspot.com  http://www.excitation.co.uk
    Thursday, January 5, 2012 9:33 PM
    Moderator

All replies

  • We've done something similar to import historical data from other systems to CRM 4.0. It may not be strictly supported but this approach did work successfully for us. This was also in CRM 4.0 so YMMV with 2011.

    1.  We wrote a user import utility to manage this process.  It iterates through the list of users to create.

    2. If during the create call, CRM can't resolve the user to an AD account, then import the user using a pre-established "dummy account".  This dummy account is a valid AD account.

    3.  Manipulate the newly imported user via SQL to null out the SSID references, and update the name and domain fields to what it should be.

    This way, CRM will just think the user once existed in AD but was deleted and knows how to handle this gracefully, AND you can continue to reuse the single "dummy" account because you've overwritten the information associating the CRM user to AD.

    Thursday, January 5, 2012 8:01 PM
  • Ultimately, ever CRM user record has to be mapped to a unique AD account, and this AD account has to exist in AD at the time of user creation. Any variation from this is definitely unsupported, and risks data integrity issues.

    Your safest option will be to have a set of dummy AD accounts created, and create the disabled CRM users mapped to these AD accounts. I believe the AD accounts can be disabled at the time that the CRM user is created, so there are no security implications


    Microsoft CRM MVP - http://mscrmuk.blogspot.com  http://www.excitation.co.uk
    Thursday, January 5, 2012 9:33 PM
    Moderator
  • Thank you for taking the time to confirm my thoughts.
    Friday, January 6, 2012 9:58 AM
  • Hi Ken,

    How do you "Manipulate the newly imported user via SQL to null out the SSID references"? I set null to ActiveDirectoryGuid in systemuserbase and AuthInfo in mscrm_config -> SystemUserAuthentication and still cannot create a second user with the same AD user. I am in CRM2011 premise

    Thanks


    Friday, February 21, 2014 2:35 AM
  • Hi David - The User Mapping wizard allows you to proceed without mapping all CRM Users to AD Accounts (you just have to map the logged in User/Sys Admin).   Everything I can find online suggests your answer, which is AD Account mapping is required, but I can not find this in any of the MS documentation or information that describes the specific issues of not mapping.

    I am trying to find the implications of not mapping the users during import of the CRM organization.  For the most part the un-mapped CRM Users are disabled in CRM, hence why the AD account has been deleted.  Obviously data integrity must be maintained, but these Users will not need to access CRM again in the future.  

    Any thoughts?

    Thank you!

    Tuesday, August 19, 2014 6:31 PM
  • As mentioned above me by PTWoodman (guess that's not really the name :)

    You do not have to map all users but there are 2 scenarios:

    1. If you'll do an In-Place upgrade on the same server - CRM will try to find those missing users and you might end up with the upgrade crashing or not going through at all.

    2. If you install a fresh CRM 2011 server and you import the organization to the new server (Google: CRM import organization) - Then you can map only the active users or any other users you wish to have in the new deployment.

    Thanks


    Please vote if you find my post helpful - Thanks

    Thursday, August 21, 2014 12:40 PM