Partager via


Minimum Permissions Required for Dynamics CRM 2011 Setup, Services, and Components

I have been asked to figure out the minimum permissions required to install CRM 2011.  I dig around and I didn’t realize the product group already put the information in the Implementation Guide (IG).  I found the article below from the CRM 2011 IG, just in case you are looking for it, here you go.

-------------------------------------------------------------

Microsoft Dynamics CRM is designed so that its components can run under separate identities. By specifying a domain user account that is granted only the permissions necessary to enable a particular component to function, you help secure the system and reduce the likelihood of exploitation.

This topic describes the minimum permissions that are required by the user account for Microsoft Dynamics CRM services and components.

Microsoft Dynamics CRM Server Setup

The user account used to run Microsoft Dynamics CRM Server Setup that includes the creation of databases requires the following minimum permissions:

  • Be a member of the Active Directory Domain Users group. By default, Active Directory Users and Computers adds new users to the Domain Users group.
  • Be a member of the Administrators group on the local computer where Setup is running.
  • Have Local Program Files folder read and write permission.
  • Be a member of the Administrators group on the local computer where the instance of SQL Server is located that will be used to store the Microsoft Dynamics CRM databases.
  • Have sysadmin membership on the instance of SQL Server that will be used to store the Microsoft Dynamics CRM databases.
  • Have organization and security group creation permission in Active Directory directory service. Alternatively, you can use a Setup XML configuration file to install Microsoft Dynamics CRM Server 2011 when security groups have already been created. For more information see Use the Command Prompt to Install Microsoft Dynamics CRM.
  • If Microsoft SQL Server Reporting Services is installed on a different server, you must add the Content Manager role at the root level for the installing user account. You must also add the System Administrator role at the site-wide level for the installing user account.

Services and CRMAppPool IIS application pool identity permissions

The user account that is used for the Microsoft Dynamics CRM services and IIS application pools require the following permissions:

Important
Microsoft Dynamics CRM services and application pool identity accounts must not be configured as a Microsoft Dynamics CRM user. Doing so can cause authentication issues and unexpected behavior in the application for all Microsoft Dynamics CRM users.

Managed service accounts, introduced in Windows Server 2008 R2, are not supported for running Microsoft Dynamics CRM services.

Microsoft Dynamics CRM Sandbox Processing Service

  • Domain User membership.

  • That account must be granted the Logon as service permission in the Local Security Policy.

  • Folder read and write permission on the \Trace, by default located under \Program Files\Microsoft Dynamics CRM\Trace, and user account %AppData% folders on the local computer.

  • Read permission to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM subkey in the Windows Registry.

  • The service account may need an SPN for the URL used to access the Web site that is associated with it. To set the SPN for the Sandbox Processing Service account, run the following command at a command prompt on the computer where the service is running.

    SETSPN –a MSCRMSandboxService/<ComputerName> <service account>

Microsoft Dynamics CRM Asynchronous Processing Service and Microsoft Dynamics CRM Asynchronous Processing Service (maintenance) services

  • Domain User membership.
  • Performance Log Users membership.
  • That account must be granted the Logon as service permission in the Local Security Policy.
  • Folder read and write permission on the Trace folder, by default located under \Program Files\Microsoft Dynamics CRM\, and user account %AppData% folder on the local computer.
  • Read and write permission to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM and HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MSCRMSandboxService subkeys in the Windows Registry.
  • The service account may need an SPN for the URL used to access the Web site that is associated with it.

Deployment Web Service (CRMDeploymentServiceAppPool Application Pool identity)

  • Domain User membership
  • That account must be granted the Logon as service permission in the Local Security Policy.
  • Local administrator group membership on the computer where the Deployment Web Service is running.
  • Local administrator group membership on the computer where SQL Server is running.
  • Sysadmin permission on the instance of SQL Server to be used for the configuration and organization databases.
  • Folder read and write permission on the Trace and CRMWeb folders, by default located under \Program Files\Microsoft Dynamics CRM\, and user account %AppData% folder on the local computer.
  • Read and write permission to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM and HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MSCRMSandboxService subkeys in the Windows Registry.
  • CRM_WPG group membership. This group is used for IIS worker processes. The group is created and the membership is added during Microsoft Dynamics CRM Server Setup.
  • The service account may need an SPN for the URL used to access the Web site that is associated with it.

Application Service (CRMAppPool IIS Application Pool identity)

  • Member of the Active Directory Domain Users group.
  • Member of the Active Directory Performance Log Users group.
  • Administrators local group membership on the computer where SQL Server is running.
  • Administrators local group membership on the computer where the Microsoft Dynamics CRM Web site is installed.
  • Folder read and write permission on the Trace and CRMWeb folders, by default located under \Program Files\Microsoft Dynamics CRM\, and user account %AppData% folder on the local computer.
  • Read and write permission to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM and HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MSCRMSandboxService subkeys in the Windows Registry.
  • CRM_WPG group membership. This group is used for IIS worker processes. The group is created and the membership is added during Microsoft Dynamics CRM Server Setup.
  • The service account may need an SPN for the URL used to access the Web site that is associated with it.

IIS Application Pool identities running under Kernel-Mode authentication and SPNs

By default, Internet Information Services (IIS) 7.0 and later versions Web sites are configured to use Kernel-Mode authentication. When you run the Microsoft Dynamics CRM Web site by using Kernel-Mode authentication, you may not need configure additional Service Principal Names (SPNs) for the Microsoft Dynamics CRM Application Pool identities.

To determine whether your IIS deployment requires SPNs, see Service Principal Name (SPN) checklist for Kerberos authentication with IIS 7.0/7.5.

Comments

  • Anonymous
    September 07, 2011
    Hi Darren, it's a shame that the IG or supporting wesbites don't provide similar detail for installing and configuring Microsoft Dynamics CRM for Outlook. Configuring CRM for Outlook: technet.microsoft.com/.../gg554865.aspx. "If you see a message stating that there is an error communicating with Microsoft Dynamics CRM, you may have used credentials with insufficient permissions. Click Change to try authenticating as a user with higher permissions." Not exactly helpful.

  • Anonymous
    December 06, 2011
    All of articles (technet, this bolgs and many other) miss one thing, that (Application Service (CRMAppPool IIS Application Pool identity)) - must have (Logon as service) user right in the Local Security Policy. Setup try to start (MSCRMUnzipService) near the end of installation and fails with logon error if this right is not assigned to Application Service account. Can you "enforce" :) documentation team? or at least this article - for others not to stumble on this