Microsoft KB Archive/908984

= How to install Microsoft Dynamics CRM 3.0 as a user who is not a domain administrator by using the minimum required permissions =

Article ID: 908984

Article Last Modified on 8/30/2006

-

APPLIES TO


 * Microsoft Dynamics CRM 3.0

-





INTRODUCTION
This article discusses the minimum permissions that are required for a user who is not a domain administrator to install Microsoft Dynamics CRM 3.0. During the installation, the Environment Diagnostic Wizard checks whether the installing user has the minimum required permissions. If the minimum required permissions are not met, you receive an error message.



SUMMARY
You have two options when you install Microsoft CRM by using the minimum required permissions for the installing user. You can use pre-created groups, or you can let the Microsoft CRM server Setup program create the groups during the installation.

Additional steps are required when you install Microsoft CRM to an existing Microsoft SQL Server Reporting Services (SSRS) installation.

You can also choose to turn the Auto Group Management functionality on or off. When you turn Auto Group Management on, Microsoft CRM automatically adds the appropriate user and computer accounts to the required groups. When you turn Auto Group Management off, Microsoft CRM does not automatically add these accounts. In this case, a domain administrator must add the appropriate user and computer accounts to the required groups.

You may receive the following Active Directory directory service warning in the Environment Diagnostic Wizard:

Current user does not have permissions to set the Trust for Delegation property

If you receive this message, visit the following Microsoft Web site to download the Microsoft white paper that discusses how to set the Trust for Delegation property:

http://www.microsoft.com/downloads/details.aspx?FamilyID=51bf9f20-bd00-4759-8378-b38eefda7b99&DisplayLang=en



Install by using pre-created Active Directory security groups
Install Microsoft CRM by using pre-created Active Directory security groups. To do this, follow these steps.

Note If you are enabling Microsoft CRM Setup to install Reporting Services, go to step 2.

 Install Microsoft CRM to an existing Reporting Services installation by adding the Content Manager role at the root level and the System Administrator role at site-wide level for the installing user account. To do this, follow these steps on the Reporting Services server:  Click Start, click Programs, click Microsoft SQL Server, click Reporting Services, and then click Report Manager. Click the Properties tab. Then click New Role Assignment. Enter the name of the installing user in the Group or user name text box, click to select the check box that is next to Content Manager, and then click OK.

Note Use the following format when you enter the name of the installing user:

\  In the upper-right corner, click Site Settings. Under the Security heading, click Configure site-wide security, and then click New Role Assignment.</li> Enter the name of the installing user in the Group or user name text box, click to select the check box that is next to System Administrator, and then click OK.

Note Use the following format when you enter the name of the installing user:

\ </li></ol> </li> Create the following four security groups in Active Directory: <ul> PrivUserGroup</li> ReportingGroup</li> SQLAccessGroup</li> UserGroup</li></ul>

Repeat steps 2a through 2f for each group that is in the list. <ol style="list-style-type: lower-alpha;"> Log on to the domain controller server as a user who has domain administrator permissions.</li> Click Start, click Administrative Tools, and then expand Active Directory Users and Computers to the root of the domain or to the specific organizational unit (OU) that you want to use to install Microsoft CRM.</li> Right-click the domain root or the OU that you want to use, click New, and then click Group.</li> In the Group Name field, enter the name of the group. For example, type PrivUserGroup .</li> If your domain functional level is Microsoft Windows Server 2003 or Microsoft Windows 2000 native, click Domain local in the Group scope list. If your domain functional level is Windows 2000 mixed, click Global in the Group scope list.</li> Click OK.</li></ol> </li> Add the installing user account as a member of the Local Administrator group. You must complete steps 3a through 3e on the Microsoft CRM server and on the computer that is running Microsoft SQL Server. <ol style="list-style-type: lower-alpha;"> Log on to the server as a user who has local administrator permissions.</li> Click Start, click Administrative Tools, and then click Computer Management.</li> Expand System Tools, expand Local Users and Groups, and then expand Groups.</li> <li>Right-click Administrators. Then click Properties.</li> <li>Click Add to add the installing user account.</li></ol> </li> <li>If you will turn on Auto Group Management for the installation in the &quot;Set the Auto Group Management option&quot; section, add the following Allow permissions to the security groups in Active Directory for the installing user account:

Permissions <ul> <li>Read</li> <li>Write</li> <li>Add/Remove self as member</li></ul>

Advanced permissions <ul> <li>List Contents</li> <li>Read All Properties</li> <li>Write All Properties</li> <li>Read Permissions</li> <li>Modify Permissions</li> <li>All Validated Writes</li> <li>Add/Remove self as member</li></ul>

Note If you will turn off Auto Group Management for the installation, you will have to take the following actions when you log on initially and any time that a change must be made to the groups: <ul> <li>Log on by using a user account that has the necessary rights.</li> <li>Manually add the users and computers to the appropriate security groups.</li></ul>

To add the Allow permissions, follow steps 4a through 4i for each security group that you created in step 2: <ol style="list-style-type: lower-alpha;"> <li>Log on to the domain controller server as a user who has domain administrator permissions.</li> <li>Click Start, click Administrative Tools, and then click Active Directory Users and Computers.</li> <li>On the View menu, click Advanced Features.</li> <li>In the navigation pane, expand the tree to the security group, right-click the security group, click Properties, and then click the Security tab.</li> <li>From the Group or user names list, select the installing user account if the account is listed. If the account is not listed, click Add to add the installing user account.</li> <li>Click to select the check box in the Allow column for the Write permission. This action causes the system to automatically select the check box for the Add/Remove self as member permission.

Note By default, the Read permission is set to Allow.</li> <li>Click Advanced. From the Permission entries list, select the installing user account, and then click Edit.</li> <li>Click to select the check box in the Allow column for the Modify Permissions permission.

Note By default, the List Contents, Read All Properties, Write All Properties, Read Permissions, All Validated Writes, and Add/Remove self as member permissions are set to Allow.</li> <li>Click OK three times.</li></ol> </li> <li>Create a configuration file to point to Microsoft CRM to use the pre-created Active Directory security groups. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> <li> Create an XML file that uses the syntax that is in the following example. Modify the variables as appropriate. The table that follows the sample code shows how to modify the variables that are in this example.

In the following sample code, the XML file is named  and the domain name is. These names represent the actual names that you use. The Active Directory hierarchy is as follows: root domain, Company Name OU, Company Name OU.

Note The Organization, SqlServer, Database create, InstallDir, and WebSiteUrl entries are optional. <CRMSetup> <Server> <LicenseKey>XXXXX-XXXXX-XXXXX-XXXXX-XXXXX</LicenseKey> <Groups AutoGroupManagementOff=&quot;true&quot;> <PrivUserGroup>CN=PrivUserGroup,OU=Company Name,OU=Company Name,DC=microsoft,DC=com</PrivUserGroup> <SQLAccessGroup>CN=SQLAccessGroup,OU=Company Name,OU=Company Name, DC=microsoft,DC=com</SQLAccessGroup> <UserGroup>CN=UserGroup,OU=Company Name,OU=Company Name,DC=microsoft,DC=com</UserGroup> <ReportingGroup>CN=ReportingGroup,OU=Company Name,OU=Company Name, DC=microsoft,DC=com</ReportingGroup> </Groups> <Organization>Company Name</Organization> <SqlServer>SQLServerName</SqlServer> , and then click OK.</li></ol> </li></ol>

Install by having Setup create Active Directory security groups
Install Microsoft CRM by having Microsoft CRM Setup create the Active Directory security groups. To do this, follow these steps.

Note If you are enabling the Microsoft CRM setup to install Reporting Services, go to step 2.

<ol> <li>If you are installing to an existing Reporting Services installation, add the Content Manager role at the root level and the System Administrator Role at site-wide level for the installing user account. To do this, follow these steps on the Reporting Services server: <ol style="list-style-type: lower-alpha;"> <li>Click Start, click Programs, click Microsoft SQL Server, click Reporting Services, and then click Report Manager.</li> <li>Click the Properties tab, and then click New Role Assignment.</li> <li>In the Group or user name text box, enter the name of the installing user, click to select the check box next to Content Manager, and then click OK.

Note Use the following format when you type the name of the installing user:

\ </li> <li>In the upper-right corner, click Site Settings.</li> <li>Under the Security heading, click Configure site-wide security. Then click New Role Assignment.</li> <li>In the Group or user name text box, enter the name of the installing user, click to select the check box that is next to System Administrator, and then click OK.

Note Use the following format when you type the name of the installing user:

\ </li></ol> </li> <li>Add the installing user account as a member of the local administrator group. To do this, follow these steps on the Microsoft CRM server and the on computer that is running Microsoft SQL Server: <ol style="list-style-type: lower-alpha;"> <li>Log on to the server as a user who has local administrator permissions.</li> <li>Click Start, click Administrative Tools, and then click Computer Management.</li> <li>Expand System Tools, expand Local Users and Groups, and then expand Groups.</li> <li>Right-click Administrators. Then click Properties.</li> <li>Click Add to add the installing user account.</li></ol> </li> <li>Add the following permissions to the organizational unit (OU) in Active Directory for the installing user account. You will have to do this for the OU that you will choose to install to during the installation.

Permissions <ul> <li>Read</li> <li>Create All Child Objects</li></ul>

Advanced permissions <ul> <li>Read Permissions</li> <li>Modify Permissions</li> <li>Read Members</li> <li>Write Members</li></ul>

To add the Allow permissions, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Log on to the domain controller server as a user who has domain administrator permissions.</li> <li>Click Start, click Administrative Tools, and then click Active Directory Users and Computers.</li> <li>On the View menu, click Advanced Features.</li> <li>In the navigation pane, expand the tree to the node that contains the security group to find the OU that you want to use for the Microsoft CRM installation.</li> <li>Right-click, click Properties, and then click the Security tab.</li> <li>In the Group or user names list, click the installing user account if the account is listed. If the account is not listed, click Add to add the installing user account.</li> <li>In the Allow column, click to select the check box for the Create All Child Objects permission.

Note By default, the Read permission is set to Allow.</li> <li>Click Advanced.</li> <li>In the Permission entries list, click Add, select the installing user account, and then click OK.</li> <li>In the Apply onto list, click Group objects.</li> <li>In the Allow column, click to select the check boxes for Read Permissions and for Modify Permissions.</li> <li>Click the Properties tab.</li> <li>In the Apply onto list, click Group objects.</li> <li>In the Allow column, click to select the check boxes for Read Members and for Write Members.</li> <li>Click OK three times.</li></ol> </li></ol>

Set the Auto Group Management option
Use the appropriate method to set the AutoGroupManagementOff option. When you do not specify a value for the AutoGroupManagementOff option, the default value is &quot;false.&quot; Therefore, the default status for the Auto Group Management functionality is that the functionality is turned on.

Choose method 1 to have the option remain set to &quot;false&quot; and to have Auto Group Management turned on. Or choose method 2 to set the option to &quot;true&quot; and to have Auto Group Management turned off.

Note The Auto Group Management option can be used only if you are installing Microsoft CRM by using pre-created Active Directory security groups.

Method 1: Set the AutoGroupManagementOff option to &quot;false&quot;
Create an XML file that uses the syntax in the following example. Modify the variables as appropriate. To modify the variables that are in this example, refer to the table that is in step 5 in the &quot;Install by using pre-created Active Directory security groups&quot; section as a guideline.

In this example, the XML file is named  and the domain name is. These names represent the actual names that you use. The Active Directory hierarchy is as follows: root domain, Company Name OU, Company Name OU.

Note The Organization, SqlServer, Database create, InstallDir, and WebSiteUrl entries are optional.

<CRMSetup> <Server> <LicenseKey>XXXXX-XXXXX-XXXXX-XXXXX-XXXXX</LicenseKey> <Groups> <PrivUserGroup>CN=PrivUserGroup,OU=Company Name,OU=Company Name,DC=microsoft,DC=com</PrivUserGroup> <SQLAccessGroup>CN=SQLAccessGroup,OU=Company Name,OU=Company Name, DC=microsoft,DC=com</SQLAccessGroup> <UserGroup>CN=UserGroup,OU=Company Name,OU=Company Name,DC=microsoft,DC=com</UserGroup> <ReportingGroup>CN=ReportingGroup,OU=Company Name,OU=Company Name, DC=microsoft,DC=com</ReportingGroup> </Groups> <Organization>Company Name</Organization> <SqlServer>SQLServerName</SqlServer> and the domain name is  These names represent the actual names that you use. The Active Directory hierarchy is as follows: root domain, Company Name OU, Company Name OU.

Note: The Organization, SqlServer, Database create, InstallDir, and WebSiteUrl entries are optional. <CRMSetup> <Server> <LicenseKey>XXXXX-XXXXX-XXXXX-XXXXX-XXXXX</LicenseKey> <Groups AutoGroupManagementOff=&quot;true&quot;> <PrivUserGroup>CN=PrivUserGroup,OU=Company Name,OU=Company Name, DC=microsoft,DC=com</PrivUserGroup> <SQLAccessGroup>CN=SQLAccessGroup,OU=Company Name,OU=Company Name, DC=microsoft,DC=com</SQLAccessGroup> <UserGroup>CN=UserGroup,OU=Company Name,OU=Company Name, DC=microsoft,DC=com</UserGroup> <ReportingGroup>CN=ReportingGroup,OU=Company Name,OU=Company Name, DC=microsoft,DC=com</ReportingGroup> </Groups> <Organization>Company Name</Organization> <SqlServer>SQLServerName</SqlServer> .</li> <li>Click OK.</li></ol>

Note In this step,  represents the actual name of the XML file that you created.</li></ol>

To verify which account the CRMAppPool uses, follow these steps on the Microsoft CRM server:
 * 1) Click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager.
 * 2) Expand the computer name. Then expand Application Pools.
 * 3) Right-click CRMAppPool, click Properties, and then click the Identity tab.

The NetworkService and LocalSystem accounts are both represented by the  \ $ account. Therefore, when you must add the NetworkService account or the LocalSystem account to a security group, you must also add the  \ $ account.

If the Configurable option is selected, you must add the specified user account to the security group. The specified user account appears in a text box.

To verify which account the ASP.NET process model uses, follow these steps on the Microsoft CRM server:
 * 1) In Windows Explorer, open the following folder:

C:\WINNT\Microsoft.NET\Framework\v1.1.4322\CONFIG
 * 1) Right-click machine.config, click Open With, and then click Notepad.
 * 2) Search for the word username in the text. The file will contain multiple instances of the word. Locate the fifth instance of &quot;username&quot; that is in the text. The value for the fifth instance of &quot;username&quot; is the account that the ASP.NET process uses.

The SYSTEM and machine accounts are both represented by the  \ $ account. Therefore, when you must add the SYSTEM account or the machine account to a security group, you must also add the  \ $ account.

If a user name is specified in the Machine.config file, you must add the specified user account to the security group.

Keywords: kbmbsinstallation kbhowto kbmbsmigrate KB908984

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.