Home > MSCRM General > Active Directory Security Groups for MSCRM

Active Directory Security Groups for MSCRM

When developing custom applications or MSCRM integration with SharePoint, security issues are the prime concerns. In order to handle these issues, one must need to know the internals of MSCRM security and how it interacts with Active Directory.  Microsoft Dynamics CRM stores user information in Active Directory to provide application security. For this purpose, the following Active Directory groups are added to the Organizational Unit specified during installation: 

  1. UserGroup
  2. ReportingGroup
  3. PrivUserGroup
  4. SQLAccessGroup

All Microsoft CRM users. This group is updated automatically as users are added and removed from Microsoft CRM. 

A group that contains all users within Microsoft CRM. This group is updated as users are added to Microsoft CRM. Users in this group have read-only access to the filtered views in the Microsoft CRM database. 

Privileged Microsoft CRM user group for special administrative functions. 

A group that contains Microsoft CRM ASP.NET account and other service accounts. Members in this group have full access to the Microsoft CRM database and this group is used by the Microsoft CRM platform layer. End users should never be added to this group. Now instead of adding each user and granting him access to SharePoint Libraries, try adding these security groups and setting permissions as given in the screenshot below:


Use these two SQL queries to get these groups at your system: 

  • SELECT SqlAccessGroupName FROM FilteredOrganization
  • SELECT ReportingGroupName FROM FilteredOrganization

When developing applications/add-on, please consider these scenarios:

  • Callout and Workflow .NET assemblies typically run under the context of the local machine’s Network Service account.
  • Code called from the client using a custom script typically runs under the context of the logged on user.
  • Code called from the server using an ASPX page running in a Virtual Directory or other Internet Information Services (IIS) site typically runs under the context of the logged on user.

So, configure proper security roles to your users before setting up add-on/custom applications/callouts/workflows. 

For information on how to grant access to your user, please look into MSCRM SDK “External Components”  

For Information on how to manage security at Reports, please look into MSCRM Implementation guide “Understanding Report Permissions”. 

  1. February 22, 2007 at 8:33 am

    this one post very good. i enjoy very much!

  2. Serge Mikviman
    March 28, 2007 at 5:58 pm

    Is there are any options to load users from AD to CRM as an import process?

  3. Amol Gholap
    June 30, 2007 at 1:38 pm

    nice info about relation between MS CRM & Active directory.

  4. February 17, 2009 at 8:31 am

    Hi Amol,

    We are looking for MS CRM professionals for our Pune locations. The details are:

    Title: MS CRM professionals
    Skills: MS CRM 4.0, .net framework
    Experience: 4+ yrs with at least 1.5 years of MS CRM 3.0 / 4.0

    Job Description:
    • Developing, testing, deploying and supporting Microsoft Dynamics CRM customization
    • Custom add-ons built within the .NET framework.
    • This position has tremendous growth potential around Microsoft Dynamics CRM development and implementation.
    • In addition to system implementation, you will gain hands-on experience working with some of the best and newest MS technologies.

    • 3+ years experience developing web applications in a Microsoft environment
    • Functional understanding of the MS CRM Web and Outlook clients
    • Hands-on experience with creating Workflows and extending workflows
    • Hands-on experience with creating Workflows and extending workflows
    • Microsoft SQL Server experience is a plus
    • Self-starter and be able to handle multiple tasks and priorities
    • Enjoy working at an entrepreneurial company
    • Highly motivated and dependable

    If you are really interested please send your updated resume.

    Amit Mahajan
    Recruitment Team

  5. mk
    March 31, 2009 at 6:09 pm

    Privileged Microsoft CRM user group for special administrative functions.

    what are these “administrative functions”?
    i found out, that our user, which is used as default-user for processing a plugin in ms crm 4.0 is “system” (found out with WhoAmI Request). Is this the normal procedure, to initiate a web service-object in context of system user and then add the callerid from the plugin-context?

    i know, that there is the possibility to initiate the service with context.getCrmService(). But then i cant use my customized entities. Well i can, but only with dynamic entities…


  6. March 31, 2009 at 8:07 pm


    This post was written for CRM 3.0.

    Now in CRM 4 plugin runs under System user.

    Secondly, i usually use dynamics entities to implement my logic and they have proved to be very reliable.

  7. mk
    March 31, 2009 at 10:31 pm

    Do you use Callouts too? I could not find any reason, why i should use a callout instead of a Plugin. Are they only available because they were availabele in 3.0?

    Dynamic Entities are realy powerfull. But it is more difficulty to program with DE’s. Especially in big Expansions it ist very compfortable to program against an WSDL-File with the Customized Entities.

    What i need to know is,
    a)is the system user the/one right way to call the CRM Web Service?
    b)does Microsoft support this or has this user some other functions?
    c)Which Rights does this user have?

    Sorry if i flood your blog with this, but i could not find a statement about this with google.

    Kind regards,

  8. Karan Sharma
    May 19, 2009 at 9:18 am

    i want to move my crm data including active directory users, customisations, reports, workflows to a new setup from existing set up.
    could u please tell the procedure to achieve this,

  9. Karan Sharma
    May 19, 2009 at 9:54 am

    i want to perfprm rollout on my mscrm 4.0 including active directory users, customisations, reports, workflows .
    could u please tell the procedure to achieve this,

  10. Mike
    June 24, 2009 at 7:25 am

    The reason i’m posting this here is because this problem may be related to user in grouping but then again i don’t know much about CRM as I’m new to CRM (i don’t mean to offend anyone by postig this here).
    Basically, I am encoutering a problem where i get “Warning: The following user exists and was not added: firstname lastname (domain\username)” when I try to add a user from AD. AD believes it’s not there but CRM thinks it’s there. Now, i believe that the problem may have been caused by the following scenario and it may just be a table where i need to remove that name from so that I can re-add the user. 1. Backup the Database_MSCRM. 2. Add a new user successfully. 3. Restore Backup from step 1. 4. User is no longer in CRM. 5. Try to Add user again but get the above message/problem that I cannot add.
    All other users prior to Backup are all okay.
    Any ideas anyone…
    Thanks and regards,

  11. Janos Kreis
    August 7, 2009 at 9:37 am

    Great Post. Thank you for the explanation. I have a small prob. Due to several redeployments of our test- and development servers, i have now a lot of these crm AD Security Groups in AD and SQL Server. Can I somehow determine which groups (identified with GUID) are the actual ones? I need to delete the old ones in order to have a better overview in AD…
    Any help would be highly appreciated.
    Maybe a small script …

  12. August 11, 2009 at 7:14 am

    well you need to check this from SQL Server. Check the groups in SQL server -> MSCRM_Organization database and then compare them with AD ones. Then remove extra groups.

  13. Aswathy
    September 24, 2010 at 7:56 am

    Wonderful post. Thanks!

  14. February 1, 2011 at 2:13 am

    Thanks for the good writeup. It if truth be told used to be a enjoyment account it. Look complex to more delivered agreeable from you! By the way, how could we be in contact?

  15. Andrew
    August 31, 2011 at 11:08 am

    Hi Ayaz,

    Really useful post – is there a document or reference point that describes in Graphic detail what a DBA shoudl and should not do with CRM databases. We have a very security concious DBA and they want to change permissions – what are the limits. tehre appears to be very little data out there for teh SQL DBA. there is a SQL 2008 whitepaper but that seems to be directed at very specific 2008 features and performnce tuning.

  16. erection uzver tk
    September 28, 2013 at 2:40 pm

    Thanks for one’s marvelous posting! I actually enjoyed reading it,
    you will be a great author. I will make certain to bookmark your
    blog and will come back at some point. I want to encourage you to continue your
    great writing, have a nice weekend!

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: