Install by using pre-created Active Directory security groups
Install Microsoft CRM by using pre-created Active Directory security groups. To do this, follow these steps.
Note If you are enabling Microsoft CRM Setup to install Reporting Services, go to step 2.
- Install Microsoft CRM to an existing Reporting Services installation by adding the Content Manager role at the root level and the System Administrator role at site-wide level for the installing user account. To do this, follow these steps on the Reporting Services server:
- Click Start, click Programs, click Microsoft SQL Server, click Reporting Services, and then click Report Manager.
- Click the Properties tab. Then click New Role Assignment.
- Enter the name of the installing user in the Group or user name text box, click to select the check box that is next to Content Manager, and then click OK.
Note Use the following format when you enter the name of the installing user:
DomainName\UserName - In the upper-right corner, click Site Settings.
- Under the Security heading, click Configure site-wide security, and then click New Role Assignment.
- Enter the name of the installing user in the Group or user name text box, click to select the check box that is next to System Administrator, and then click OK.
Note Use the following format when you enter the name of the installing user:
DomainName\UserName
- Create the following four security groups in Active Directory:
- PrivUserGroup
- ReportingGroup
- SQLAccessGroup
- UserGroup
Repeat steps 2a through 2f for each group that is in the list. - Log on to the domain controller server as a user who has domain administrator permissions.
- Click Start, click Administrative Tools, and then expand Active Directory Users and Computers to the root of the domain or to the specific organizational unit (OU) that you want to use to install Microsoft CRM.
- Right-click the domain root or the OU that you want to use, click New, and then click Group.
- In the Group Name field, enter the name of the group. For example, type PrivUserGroup.
- If your domain functional level is Microsoft Windows Server 2003 or Microsoft Windows 2000 native, click Domain local in the Group scope list. If your domain functional level is Windows 2000 mixed, click Global in the Group scope list.
- Click OK.
- Add the installing user account as a member of the Local Administrator group. You must complete steps 3a through 3e on the Microsoft CRM server and on the computer that is running Microsoft SQL Server.
- Log on to the server as a user who has local administrator permissions.
- Click Start, click Administrative Tools, and then click Computer Management.
- Expand System Tools, expand Local Users and Groups, and then expand Groups.
- Right-click Administrators. Then click Properties.
- Click Add to add the installing user account.
- If you will turn on Auto Group Management for the installation in the "Set the Auto Group Management option" section, add the following Allow permissions to the security groups in Active Directory for the installing user account:
Permissions- Read
- Write
- Add/Remove self as member
Advanced permissions- List Contents
- Read All Properties
- Write All Properties
- Read Permissions
- Modify Permissions
- All Validated Writes
- Add/Remove self as member
Note If you will turn off Auto Group Management for the installation, you will have to take the following actions when you log on initially and any time that a change must be made to the groups:- Log on by using a user account that has the necessary rights.
- Manually add the users and computers to the appropriate security groups.
To add the Allow permissions, follow steps 4a through 4i for each security group that you created in step 2:- Log on to the domain controller server as a user who has domain administrator permissions.
- Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
- On the View menu, click Advanced Features.
- In the navigation pane, expand the tree to the security group, right-click the security group, click Properties, and then click the Security tab.
- From the Group or user names list, select the installing user account if the account is listed. If the account is not listed, click Add to add the installing user account.
- Click to select the check box in the Allow column for the Write permission. This action causes the system to automatically select the check box for the Add/Remove self as member permission.
Note By default, the Read permission is set to Allow. - Click Advanced. From the Permission entries list, select the installing user account, and then click Edit.
- Click to select the check box in the Allow column for the Modify Permissions permission.
Note By default, the List Contents, Read All Properties, Write All Properties, Read Permissions, All Validated Writes, and Add/Remove self as member permissions are set to Allow. - Click OK three times.
- Create a configuration file to point to Microsoft CRM to use the pre-created Active Directory security groups. To do this, follow these steps:
- Create an XML file that uses the syntax that is in the following example. Modify the variables as appropriate. The table that follows the sample code shows how to modify the variables that are in this example.
In the following sample code, the XML file is named Config_precreate.xml and the domain name is microsoft.com. These names represent the actual names that you use. The Active Directory hierarchy is as follows: root domain, Company Name OU, Company Name OU.
Note The Organization, SqlServer, Database create, InstallDir, and WebSiteUrl entries are optional.
<CRMSetup>
<Server>
<LicenseKey>XXXXX-XXXXX-XXXXX-XXXXX-XXXXX</LicenseKey>
<Groups AutoGroupManagementOff="true">
<PrivUserGroup>CN=PrivUserGroup,OU=Company Name,OU=Company Name,DC=microsoft,DC=com</PrivUserGroup>
<SQLAccessGroup>CN=SQLAccessGroup,OU=Company Name,OU=Company Name, DC=microsoft,DC=com</SQLAccessGroup>
<UserGroup>CN=UserGroup,OU=Company Name,OU=Company Name,DC=microsoft,DC=com</UserGroup>
<ReportingGroup>CN=ReportingGroup,OU=Company Name,OU=Company Name, DC=microsoft,DC=com</ReportingGroup>
</Groups>
<Organization>Company Name</Organization>
<SqlServer>SQLServerName</SqlServer>
<Database create="true"/>
<InstallDir>C:\Program Files\Microsoft CRM</InstallDir>
<WebSiteUrl>/LM/W3SVC/1</WebSiteUrl>
</Server>
</CRMSetup>
| Parameter | Replacement value |
|---|
| XXXXX-XXXXX-XXXXX-XXXXX-XXXXX | The license key. |
| PrivUserGroup | The name of the PrivUserGroup security group, including the GUID. |
| Company Name | The registered name of the company. |
| microsoft | The domain name. |
| com | The domain extension. |
| SQLAccessGroup | The name of the SQLAccessGroup security group, including the GUID. |
| UserGroup | The name of the UserGroup security group, including the GUID. |
| ReportingGroup | The name of the ReportingGroup security group, including the GUID. |
| SQLServerName | The name of the Microsoft SQL Server server. |
| C:\Program Files\Microsoft CRM | The directory in which you want to install Microsoft CRM. This example uses the default installation directory. |
| /LM/W3SVC/1 | The Web site on which you want to install Microsoft CRM. This example uses the default Web site. |
- Run the Microsoft CRM Server installation. To do this, click Start, click Run, type C:\ServerSetup.exe /config C:\config precreate.xml, and then click OK.
Install by having Setup create Active Directory security groups
Install Microsoft CRM by having Microsoft CRM Setup create the Active Directory security groups. To do this, follow these steps.
Note If you are enabling the Microsoft CRM setup to install Reporting Services, go to step 2.
- If you are installing to an existing Reporting Services installation, add the Content Manager role at the root level and the System Administrator Role at site-wide level for the installing user account. To do this, follow these steps on the Reporting Services server:
- Click Start, click Programs, click Microsoft SQL Server, click Reporting Services, and then click Report Manager.
- Click the Properties tab, and then click New Role Assignment.
- In the Group or user name text box, enter the name of the installing user, click to select the check box next to Content Manager, and then click OK.
Note Use the following format when you type the name of the installing user:
DomainName\UserName - In the upper-right corner, click Site Settings.
- Under the Security heading, click Configure site-wide security. Then click New Role Assignment.
- In the Group or user name text box, enter the name of the installing user, click to select the check box that is next to System Administrator, and then click OK.
Note Use the following format when you type the name of the installing user:
DomainName\UserName
- Add the installing user account as a member of the local administrator group. To do this, follow these steps on the Microsoft CRM server and the on computer that is running Microsoft SQL Server:
- Log on to the server as a user who has local administrator permissions.
- Click Start, click Administrative Tools, and then click Computer Management.
- Expand System Tools, expand Local Users and Groups, and then expand Groups.
- Right-click Administrators. Then click Properties.
- Click Add to add the installing user account.
- Add the following permissions to the organizational unit (OU) in Active Directory for the installing user account. You will have to do this for the OU that you will choose to install to during the installation.
Permissions- Read
- Create All Child Objects
Advanced permissions- Read Permissions
- Modify Permissions
- Read Members
- Write Members
To add the Allow permissions, follow these steps:- Log on to the domain controller server as a user who has domain administrator permissions.
- Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
- On the View menu, click Advanced Features.
- In the navigation pane, expand the tree to the node that contains the security group to find the OU that you want to use for the Microsoft CRM installation.
- Right-click, click Properties, and then click the Security tab.
- In the Group or user names list, click the installing user account if the account is listed. If the account is not listed, click Add to add the installing user account.
- In the Allow column, click to select the check box for the Create All Child Objects permission.
Note By default, the Read permission is set to Allow. - Click Advanced.
- In the Permission entries list, click Add, select the installing user account, and then click OK.
- In the Apply onto list, click Group objects.
- In the Allow column, click to select the check boxes for Read Permissions and for Modify Permissions.
- Click the Properties tab.
- In the Apply onto list, click Group objects.
- In the Allow column, click to select the check boxes for Read Members and for Write Members.
- Click OK three times.
Set the Auto Group Management option
Use the appropriate method to set the AutoGroupManagementOff option. When you do not specify a value for the AutoGroupManagementOff option, the default value is "false." Therefore, the default status for the Auto Group Management functionality is that the functionality is turned on.
Choose method 1 to have the option remain set to "false" and to have Auto Group Management turned on. Or choose method 2 to set the option to "true" and to have Auto Group Management turned off.
Note The Auto Group Management option can be used only if you are installing Microsoft CRM by using pre-created Active Directory security groups.
Method 1: Set the AutoGroupManagementOff option to "false"
Create an XML file that uses the syntax in the following example. Modify the variables as appropriate. To modify the variables that are in this example, refer to the table that is in step 5 in the "Install by using pre-created Active Directory security groups" section as a guideline.
In this example, the XML file is named
Config_precreate.xml and the domain name is
microsoft.com. These names represent the actual names that you use. The Active Directory hierarchy is as follows: root domain, Company Name OU, Company Name OU.
Note The Organization, SqlServer, Database create, InstallDir, and WebSiteUrl entries are optional.
<CRMSetup>
<Server>
<LicenseKey>XXXXX-XXXXX-XXXXX-XXXXX-XXXXX</LicenseKey>
<Groups>
<PrivUserGroup>CN=PrivUserGroup,OU=Company Name,OU=Company Name,DC=microsoft,DC=com</PrivUserGroup>
<SQLAccessGroup>CN=SQLAccessGroup,OU=Company Name,OU=Company Name, DC=microsoft,DC=com</SQLAccessGroup>
<UserGroup>CN=UserGroup,OU=Company Name,OU=Company Name,DC=microsoft,DC=com</UserGroup>
<ReportingGroup>CN=ReportingGroup,OU=Company Name,OU=Company Name, DC=microsoft,DC=com</ReportingGroup>
</Groups>
<Organization>Company Name</Organization>
<SqlServer>SQLServerName</SqlServer>
<Database create="true"/>
<InstallDir>C:\Program Files\Microsoft CRM</InstallDir>
<WebSiteUrl>/LM/W3SVC/1</WebSiteUrl>
</Server>
</CRMSetup>
Method 2: Set the AutoGroupManagementOff option to "true"
- Create an XML file that uses the syntax that is in the following example. Modify the variables as appropriate. To modify the variables that are in this example, refer to the table that is in step 5 in the "Install by using pre-created Active Directory security groups" section as a guideline.
In this example, the XML file is named Config_manageoff.xml and the domain name is microsoft.com These names represent the actual names that you use. The Active Directory hierarchy is as follows: root domain, Company Name OU, Company Name OU.
Note: The Organization, SqlServer, Database create, InstallDir, and WebSiteUrl entries are optional.
<CRMSetup>
<Server>
<LicenseKey>XXXXX-XXXXX-XXXXX-XXXXX-XXXXX</LicenseKey>
<Groups AutoGroupManagementOff="true">
<PrivUserGroup>CN=PrivUserGroup,OU=Company Name,OU=Company Name, DC=microsoft,DC=com</PrivUserGroup>
<SQLAccessGroup>CN=SQLAccessGroup,OU=Company Name,OU=Company Name, DC=microsoft,DC=com</SQLAccessGroup>
<UserGroup>CN=UserGroup,OU=Company Name,OU=Company Name, DC=microsoft,DC=com</UserGroup>
<ReportingGroup>CN=ReportingGroup,OU=Company Name,OU=Company Name, DC=microsoft,DC=com</ReportingGroup>
</Groups>
<Organization>Company Name</Organization>
<SqlServer>SQLServerName</SqlServer>
<Database create="true"/>
<InstallDir>C:\Program Files\Microsoft CRM</InstallDir>
<WebSiteUrl>/LM/W3SVC/1</WebSiteUrl>
</Server>
</CRMSetup>
- Add the appropriate user and computer accounts as members of the groups that are in the following list.
Note You must follow this step only if the AutoGroupManagementOff option is set to "true."
PrivUserGroup- The account that the CRMAppPool uses
- The account that the ASP.NET process model uses
- The user account that runs the Microsoft CRM installation
- The computer account on which the Microsoft CRM-Exchange E-mail Router will be installed
ReportingGroup- All Microsoft CRM user accounts, including the installing user
SQLAccessGroup- The account that the CRMAppPool uses
- The account that the ASP.NET process model uses
- The user account that runs the Microsoft CRM installation
UserGroup- All Microsoft CRM user accounts, including the installing user
To add the accounts, follow these steps for each group that is in the list.
Note If Microsoft Internet Information Services (IIS) 6.0 or 5.0 is running in Isolation mode, you must add the LocalSystem account to the PrivUserGroup group and to the SQLAccessGroup group. - Log on to the domain controller server as a user who has domain administrator permissions.
- Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
- In the navigation pane, expand the tree to the node that contains the security group, right-click the security group, click Properties, and then click the Members tab.
- To add a user account, click Add, and then click OK. To add a computer account, click Object Types, click to select the check box that is next to Computers, and then click OK.
- Run the Microsoft CRM server installation. To do this, follow these steps:
- Click Start, click Run, and then type C:\ServerSetup.exe /config C:\config manageoff.xml.
- Click OK.
Note In this step, config manageoff.xml represents the actual name of the XML file that you created.
To verify which account the CRMAppPool uses, follow these steps on the Microsoft CRM server:
- Click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager.
- Expand the computer name. Then expand Application Pools.
- Right-click CRMAppPool, click Properties, and then click the Identity tab.
The NetworkService and LocalSystem accounts are both represented by the
DomainName\ComputerName$ account. Therefore, when you must add the NetworkService account or the LocalSystem account to a security group, you must also add the
DomainName\ComputerName$ account.
If the
Configurable option is selected, you must add the specified user account to the security group. The specified user account appears in a text box.
To verify which account the ASP.NET process model uses, follow these steps on the Microsoft CRM server:
- In Windows Explorer, open the following folder:
C:\WINNT\Microsoft.NET\Framework\v1.1.4322\CONFIG - Right-click machine.config, click Open With, and then click Notepad.
- Search for the word username in the text. The file will contain multiple instances of the word. Locate the fifth instance of "username" that is in the text. The value for the fifth instance of "username" is the account that the ASP.NET process uses.
The SYSTEM and machine accounts are both represented by the
DomainName\ComputerName$ account. Therefore, when you must add the SYSTEM account or the machine account to a security group, you must also add the
DomainName\ComputerName$ account.
If a user name is specified in the Machine.config file, you must add the specified user account to the security group.