Granting CRM Deployment Administrator Permissions to the CRM Active Directory Groups

The user who creates, modifies, edits, and imports organizations in Microsoft Dynamics CRM must have permissions in the following Microsoft Dynamics CRM security groups in Active Directory:

  • PrivReportingGroup {guid}

  • PrivUserGroup {guid}

  • ReportingGroup {guid}

  • SQLAccessGroup {guid}

    The CRM Deployment Administrator must have permissions to all five Microsoft Dynamics CRM security groups. The specific permissions a deployment administrator must have on the CRM security groups are:

    Permissions

    • Read

    • Write

    • Add/Remove self as member

    Advanced permissions

    • List Contents

    • Read All Properties

    • Write All Properties

    • Read Permissions

    • Modify Permissions

    • All Validated Writes

    • Add/Remove self as member

      The group will be used to grant the necessary permissions to the Microsoft Dynamics CRM security groups. To do so, use the following steps:

  1. On a domain controller, start the Active Directory Users and Computers management console.

  2. On the View menu, click Advanced Features.

  3. Expand contoso.com.

  4. Select the organization unit containing the CRM Security groups (as defined during the installation of the first CRM server), The listing pane should display the following CRM security groups:

    • PrivReportingGroup {�}
    • PrivUserGroup {�}
    • ReportingGroup {...}
    • SQLAccessGroup {�}

    Note

    • In the previous list, the {...} represents the globally unique identifier (GUID) following the group name. The GUID will be unique in every deployment. A representative example group name could be ReportingGroup {4efba72a-232f-44ec-9d95-155eb6ffb1be}.
  5. Right-click the PrivReportingGroup security group and then click Properties.

  6. In the Properties dialog box, select the Security tab, and in the Group or user names list, click Add.

  7. In the Enter the object name to select text box, type CRMDG01Admins, click the Check Names button, and then click OK.

  8. With the CRMDG01Admins group selected, click to select the Allow check box for the Write permission. This action causes the system to select automatically the Add/Remove self as member check box.

    Note

    • By default, the Allow check box is selected for the Read permission.
  9. Click Advanced.

  10. In the Permission list, select the CRMDG01Admins group, and then click Edit.

  11. Click to select the Allow check box for the Modify Permissions permission.

    Note

    By default, the Allow check box is selected for the following permissions:

    • List Contents
    • List Object
    • Read All Properties
    • Write All Properties
    • Read Permissions
    • All Validated Writes
    • Add/Remove self as member
  12. Click OK three times.

  13. Repeat the steps in this procedure to grant the CRMDG01Admins permissions to modify the PrivUserGroup, ReportingGroup, and SQLAccessGroup security groups.