Wednesday, April 18, 2007

Why you need domain admin rights?

If you start with the preparations for installing MS Dynamics CRM you need an installation account. In general you not run into conflicts with the sufficient rights or other annoying Active Directory issues using a domain admin account.

Unfortunately the real world is not so easy and you have to compromise with the system administrator of your client. If you lucky he will install it, using the account with domain admin rights, but that won’t happen often.

Especially in larger organizations this will be a challenge. You have to convince the IT manager you need a separate installation account with necessary rights, preferable domain admin. The system administrator usually freaks out when you mention that you or the installation will need admin rights and also changes some things in the AD. This is like the famous line from Fawlty Towers ‘don’t mention the war’ when Basil Fawlty (John Cleese) got some German tourists in his hotel (Episode “The Germans”).

Usually the solution is simple; you can add an OU in the AD for example “mscrm”. In this OU you or the installation can create 4 groups (PrivUsergroup, ReportingGroup, SQLAccessGroup and Usergroup).

The installation account needs rights "Read/Write All properties on this object only and child object” in the earlier mentioned OU. Other rights you need to add are the “Create Group Right”. This should be sufficient to proceed with the installation, after installation it should be possible to remove “Create Group Right”, please test for yourself!.

And usually you have to add “trust for delegation” to the application server too, depending on your architecture.

Note: This solution is from my own experience and might not be the solution for your installation.

No comments: