Change a Microsoft Dynamics CRM service account

  • Article
  • 3 minutes to read

There are situations in which you may need to change the account that is used to run a Microsoft Dynamics CRM service.

Change a Microsoft Dynamics CRM service account by running a repair

The simplest way to change a service account is to run a repair operation and then specify the new service account during the repair. There may be a short downtime as the services are stopped and files are verified and possibly refreshed as part of the repair. For more information, see Uninstall, change, or repair Microsoft Dynamics CRM Server 2011 in the Installing Guide.

To change the CRMAppPool service account, the appropriate permissions must be granted or the CRMAppPool application pool will not start. Additionally, if you are using claims-based authentication the CRMAppPool service account must have permission to access the claims-based authentication token-signing certificate.

Manually change the CRMAppPool service account

To manually change the CRMAppPool service account, include the domain account user in the following groups in Active Directory:

  • Domain Users Active Directory

  • PrivUserGroup

  • SQLAccessGroup

To do this, follow these steps:

  1. Log on to a server as a user who has the domain administrator rights or the rights to update these groups.

  2. Right-click the Domain Users group in Active Directory, and then click Properties.

  3. In the Group name box, type the name of the user who is running the Microsoft Dynamics CRM application pool, and then click OK two times.

    Important

    Direct user account membership to the Microsoft Dynamics CRM privusergroup security group is required and group membership nesting under privusergroup currently is not supported. For example, if you add a security group named mycrmprivgroupusers to privusergroup, members of mycrmprivgroupusers will not resolve as privusergroup members. This includes the CRMAppPool or the SQL Server Reporting Services service identities, which if granted membership to privusergroup through another security group, can cause system-wide failures in the Microsoft Dynamics CRM web application and reporting features.

  4. Repeat steps 2 and 3 for the PrivUserGroup group and for the SQLAccessGroup group.

If you have more than one Microsoft Dynamics CRM deployment installed, multiple groups exist in Active Directory. Use the following steps to determine the groups that you want to update.

Determine the groups to update

  1. Run the following SQL statement against the MSCRM_CONFIG database:

    select id, friendlyname from organization

    1. Note the GUID. For example, the GUID may be C8AB1D52-9383-4164-B571-4C80D46674E3 Org Name.

    2. Find the PrivUserGroup group and the SQLAccessGroup group in Active Directory. The group name contains the GUID that you noted in step b.

  2. Include the domain account user in the following groups on the Microsoft Dynamics CRM server:

    • The local IIS_WPG group

    • The local CRM_WPG group

    The domain account user must have the following local user rights:

    • Impersonate a client after authentication

    • Log on as a service

    To do this, follow these steps:

    1. On the Microsoft Dynamics CRM server, click Start, point to Administrative Tools, and then click Local Security Policy.

    2. Expand Local Policies, and then click User Rights Assignment.

    3. Right-click Impersonate a client after authentication, and then click Properties.

    4. Click Add User or Group.

      Note

      You may have to click Location to select the domain instead of the local computer.

    5. In the Group name box, type the name of the user who is running the Microsoft Dynamics CRM application pool, and then click OK two times.

    6. Repeat steps 2c through 2e for the Log on as a service right.

  3. Configure the CRMAppPool application pool security account to use a service principal name (SPN). For steps about how to configure SPNs, see Configuring service principal names (SPNs).

  4. If you have more than one Microsoft Dynamics CRM server and IIS kernel-mode authentication is disabled, you must configure the CRMAppPool application pool security account to be trusted for delegation. To do this, follow these steps:

    1. Log on to the domain controller by using a user account that has domain administrator permissions.

    2. Start Active Directory Users and Computers. To do this, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

    3. Expand the domain, right-click the Microsoft Dynamics CRM application pool security account, and then click Properties.

    4. On the Delegation tab, click to select the Trust this user for delegation to any service (Kerberos only) option.

    5. Click OK.

  5. Restart Internet Information Services (IIS). To do this, click Start, click Run, type IISRESET, and then click OK.

See Also

Concepts

Security considerations for Microsoft Dynamics CRM 2011
Move the Microsoft Dynamics CRM 2011 deployment
Enable Windows Error Reporting

Send comments about this article to Microsoft.

© 2013 Microsoft Corporation. All rights reserved.