As a result of of working within one of our vertical specialty (financial institutions), we are seeing more and more organization requiring a much higher level of security due to SOX compliance. While there are documented instructions on this topic of creating a configuration file for CRM 2011, some of them had formatting issues and/or were missing pieces to support our customers' requirements of CRM 2011 “AutoGroupManagementOff="true" installation.
"AutoGroupManagementOff" is the mechanisms that MS implemented to support organizations that require auditing for every part of the user creation process. Using this features requires AD administrators to manually add users to these CRM groups that are created as part of this process.
These are the groups that an AD administrator will need to create manually and administer going forward. This section documents the AD objects that AD administrators will have to manually add in order to install CRM 2011 and allow users to access CRM going forward. We also recommend creating separate groups for all your environments (Examples: Prefix AD groups with DEV_, STG_ and PRD_.)
PrivUserGroup
- The account that the CRMAppPool application pool uses [AD Account running CRM application pool]
- The account that the ASP.NET process model uses [CRM Computer Object]
- The user account that runs the Microsoft Dynamics CRM installation [AD Account used to install CRM]
- The computer account on which the Microsoft Dynamics CRM-Exchange E-mail Router will be installed [CRM Computer Object where Router is installed]
ReportingGroup
- All Microsoft Dynamics CRM user accounts (this includes the user who is installing Microsoft Dynamics CRM) [All user accounts']
SQLAccessGroup
- The account that the CRMAppPool application pool uses [AD Account running CRM application pool]
- The account that the ASP.NET process model uses [CRM Computer Object]
UserGroup
- All Microsoft Dynamics CRM user accounts (this includes the user who is installing Microsoft Dynamics CRM) [All user accounts]
PrivReportingGroup
- The computer account on which the Microsoft Dynamics CRM Data Connector for Microsoft SQL Server Reporting Services will be installed [SSRS Computer Object]
This sample configuration file also allows the AD administrators to create the AD groups that CRM will use.
<CRMSetup>
<Server>
<Patch update="false">\\server\share\patchfile.msp</Patch>
<LicenseKey>[Will be found on your CRM 2011 ISO Image]</LicenseKey>
<SqlServer>[SQL Server Name]</SqlServer>
<Database create="true" />
<Reporting URL=" Reporting Server Name]/ReportServer" />
<OrganizationCollation>Latin1_General_CI_AI</OrganizationCollation>
<basecurrency isocurrencycode="USD" currencyname="US Dollar" currencysymbol="$" currencyprecision="2" />
<Organization>[Display Name of CRM 2011 Org]</Organization>
<OrganizationUniqueName>[Database Name and Deployment Org Name no spaces allowed]</OrganizationUniqueName>
<Groups AutoGroupManagementOff="true">
<PrivUserGroup>CN=DEV_PrivUserGroup,OU=[OU Name A],OU=[OU Name B],DC=[DOMAIN NAME],DC=LOCAL</PrivUserGroup>
<SQLAccessGroup>CN=DEV_SQLAccessGroup,OU=[OU Name A],OU=[OU Name B],DC=[DOMAIN NAME],DC=LOCAL</SQLAccessGroup>
<ReportingGroup>CN=DEV_ReportingGroup,OU=[OU Name A],OU=[OU Name B],DC=[DOMAIN NAME],DC=LOCAL</ReportingGroup>
<PrivReportingGroup>CN=DEV_PrivReportingGroup,[OU Name A],OU=[OU Name B],DC=[DOMAIN NAME],DC=LOCAL</PrivReportingGroup>
<UserGroup>CN=DEV_UserGroup,OU=[OU Name A],OU=[OU Name B],DC=[DOMAIN NAME],DC=LOCAL</UserGroup>
</Groups>
<WebsiteUrl create="false" port="80"> Server Name]</WebsiteUrl>
<InstallDir>D:\Program Files\Microsoft Dynamics CRM</InstallDir>
<CrmServiceAccount type="DomainUser">
<ServiceAccountLogin>[Domain Name]\[USER NAME]</ServiceAccountLogin>
<ServiceAccountPassword>[Your Password]</ServiceAccountPassword>
</CrmServiceAccount>
<SandboxServiceAccount type="DomainUser">
<ServiceAccountLogin>[Domain Name]\[USER NAME]</ServiceAccountLogin>
<ServiceAccountPassword>[Your Password]</ServiceAccountPassword>
</SandboxServiceAccount>
<DeploymentServiceAccount type="DomainUser">
<ServiceAccountLogin>[Domain Name]\[USER NAME]</ServiceAccountLogin>
<ServiceAccountPassword>[Your Password]</ServiceAccountPassword>
</DeploymentServiceAccount>
<AsyncServiceAccount type="DomainUser">
<ServiceAccountLogin>[Domain Name]\[USER NAME]</ServiceAccountLogin>
<ServiceAccountPassword>[Your Password]</ServiceAccountPassword>
</AsyncServiceAccount>
<SQM option="false" />
<mu option="false" />
<Email>
<IncomingExchangeServer name="[EMAIL SERVER ROUTER]" />
</Email>
</Server>
</CRMSetup>
Post by: Sean Shilling,
