CRM 3.0 Effect on Active Directory
A question coming up time and again. I am not sure if this is already documented somewhere in some form but no harm blogging this information here even if it is already available :-)
How does CRM modify the Active Directory?
CRM 1.2 use to be very much dependent on Active Directory. We used to have even Business Units created in CRM reflected as Organizational Units in Active Directory. Tough times!
With CRM 3.0, CRM has become less dependent on Active Directory. There are only two integration points I could think of:
- Firstly, During Installation, there are four security groups created in AD that allow the installation user (with Domain Administrator rights) to continue the installation across the Platform components like SQL, AD, IIS and Exchange.
- Secondly, For User Authentication. Every User in CRM needs access to specific componenents like SQL Reporting and the Database views. A couple of groups in AD take care of this.
A description of the four Security Groups:
PrivUserGroup
| • | The account that the CRMAppPool uses |
| • | The account that the ASP.NET process model uses |
| • | The user account that runs the Microsoft CRM installation |
| • | The computer account on which the Microsoft CRM-Exchange E-mail Router will be installed |
ReportingGroup
| • | All Microsoft CRM user accounts, including the installing user |
SQLAccessGroup
| • | The account that the CRMAppPool uses |
| • | The account that the ASP.NET process model uses |
| • | The user account that runs the Microsoft CRM installation |
UserGroup
| • | All Microsoft CRM user accounts, including the installing user |
FAQs:
The one thing that Adminstrators are usually concerned about:
1. "Does CRM modify the Active Directory Schema?"
NO. Neither CRM 1.2 nor CRM 3.0 modify the Active Directory Schema. So no worries!
2. "Domain Administrator privileges for a user installing CRM is absolutely a 'No-No'. Is there a way out?"
Yes. You can install CRM 3.0 without Domain Admin privileges. But this would require pre-creating the security groups and 'command-line only' installation pointing to xml configuration files. More information here https://support.microsoft.com/kb/908984.
I hope this information comes in handy whenever we talk about CRM impact on Active Directory.
Best,
pk