Thursday, September 25, 2014

On - premise deployment of Dynamics CRM 2011

Dynamics CRM controls access to its resources by using Active Directory for
authentication. This is accomplished by creating several Active Directory security groups
then managing the membership of those groups as users are added or removed from the
Dynamics CRM System.

Security Groups
Here is a list of the security groups, their function, and notes about their usage:

PrivReportingGroup
This is the privileged Dynamics CRM user group for reporting functions. This group is
created during Dynamics CRM server setup and configured during Dynamics CRM
reporting extensions setup.
The server where Dynamics CRM Reporting Extensions is installed will automatically be
made a member of this group.

PrivUserGroup
This is the privileged Dynamics CRM user group for special administrative functions
including the CRMAppPool identity (which is either a domain user account or
NetworkService account).
Users who provide administration for a Dynamics CRM Server 2011 system must be added
to this group. You must also include, or verify, that the following computers are also a
member of this group:
* The server where Microsoft Dynamics CRM Server 2011 is installed.
* If you are using the E–mail Router, the server where Microsoft Exchange Server is
installed.
The person who installed Dynamics CRM will automatically be a member of this group.

ReportingGroup
All Dynamics CRM users are included in this group which is automatically updated as
users are added and removed from Dynamics CRM. By default, all Dynamics CRM
Reporting Services Reports grant Browse permission to this group.
SQLAccessGroup
All server processes and service accounts that require access to SQL Server; including
CRMAppPool identity (domain user or NetworkService). Members of this group have
db_owner permission on the Dynamics CRM databases.
The server where Dynamics CRM is installed will also need to be a member of this group.
It should be added automatically when the software was installed.
Security Group Naming
Each security group name will have a globally unique identifier (GUID) appended to the
name. This is a unique identifier which identifies the deployment. Each of the security
groups within a deployment will share the same identifier.
During the installation of the Microsoft Dynamics CRM software, the person installing it is
asked to select an Organizational Unit into which these groups will be created. This can
be anywhere, though it is a general best practice to create a CRM–specific OU so that the

security groups are contained in a single location as shown in the following figure:

No comments:

Post a Comment