This is from the Microsoft CRM 2011 Implementation Guide from Microsoft (the compiled help file):
Minimum permissions required for Microsoft Dynamics CRM Setup,
services, and components
Microsoft Dynamics CRM is designed so that its components can run
under separate identities. By specifying a domain user account that is granted
only the permissions necessary to enable a particular component to function, you
help secure the system and reduce the likelihood of exploitation.
This topic describes the minimum permissions that are required by
the user account for Microsoft Dynamics CRM services and
components.
Microsoft Dynamics CRM Server Setup
The user account used to run Microsoft Dynamics CRM Server Setup
that includes the creation of databases requires the following minimum
permissions:
- Be a member of the Active Directory Domain Users group. By
default, Active Directory Users and Computers adds new users to the Domain Users
group.
- Be a member of the Administrators group on the local
computer where Setup is running.
- Have Local Program Files folder read and write permission.
- Be a member of the Administrators group on the local
computer where the instance of SQL Server is located that will be used to store
the Microsoft Dynamics CRM databases.
- Have sysadmin membership on the instance of SQL Server that
will be used to store the Microsoft Dynamics CRM databases.
- Have organization and security group creation permission in
Active Directory. Alternatively, you can use a Setup XML configuration file to
install Microsoft Dynamics CRM Server 2011 when security groups have already
been created. For more information, see Use the Command Prompt to
Install Microsoft Dynamics CRM in the Installing Guide.
- If Microsoft SQL Server Reporting Services is installed on a
different server, you must add the Content Manager role at the root level for
the installing user account. You must also add the System Administrator Role at
the site-wide level for the installing user
account.
Services and CRMAppPool IIS application pool
identity permissions
The user account that is used for the Microsoft Dynamics CRM
services and IIS application pools require the following permissions:
Important
|
Microsoft Dynamics CRM services and application pool (CRMAppPool) identity
accounts must not be configured as a Microsoft Dynamics CRM user. Doing so can
cause authentication issues and unexpected behavior in the application for all
Microsoft Dynamics CRM users. For more information, see Problems in CRM when the CRMAppPool user account is a CRM user.
Managed service accounts, introduced in Windows Server 2008 R2, are not
supported for running Microsoft Dynamics CRM services.
|
Microsoft Dynamics CRM Sandbox Processing
Service
- Domain Users membership.
- That account must be granted the Logon as service
permission in the Local Security Policy.
- Folder read and write permission on the Trace, by
default located under \Program Files\Microsoft Dynamics CRM\Trace, and user
account %AppData% folders on the local computer.
- Read permission to the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM subkey in the Windows
registry.
- The service account may need an SPN for the URL used to
access the website that is associated with it. To set the SPN for the Sandbox
Processing Service account, run the following command at a command prompt on the
computer where the service is running.
SETSPN –a
MSCRMSandboxService/<ComputerName> <service
account>
Microsoft Dynamics CRM Asynchronous Processing
Service and Microsoft Dynamics CRM Asynchronous Processing Service (maintenance)
services
- Domain Users membership.
- Performance Log Users membership.
- That account must be granted the Logon as service
permission in the Local Security Policy.
- Folder read and write permission on the Trace folder,
by default located under \Program Files\Microsoft Dynamics CRM\, and user
account %AppData% folder on the local computer.
- Read and write permission to the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM and
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MSCRMSandboxService
subkeys in the Windows registry.
- The service account may need an SPN for the URL used to
access the website that is associated with it.
Deployment Web Service
(CRMDeploymentServiceAppPool Application Pool identity)
- Domain Users membership.
- That account must be granted the Logon as service
permission in the Local Security Policy.
- Local administrator group membership is required to perform
organization database operations (such as create new or import organization)
only if the following conditions are true:
- The Microsoft SQL Server specified for the organization
database is on the same computer as the Deployment Web Service server
role.
- The Web Application Server server role is running on the
same computer as the Deployment Web Service server role.
- Local administrator group membership on the computer where
the Deployment Web Service is running.
- Local administrator group membership on the computer where
SQL Server is running.
- Sysadmin permission on the instance of SQL Server to be used
for the configuration and organization databases.
- Folder read and write permission on the Trace and
CRMWeb folders, by default located under \Program Files\Microsoft
Dynamics CRM\, and user account %AppData% folder on the local
computer.
- Read and write permission to the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM and
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MSCRMSandboxService
subkeys in the Windows registry.
- CRM_WPG group membership. This group is used for IIS worker
processes. The group is created and the membership is added during Microsoft
Dynamics CRM Server Setup.
- The service account may need an SPN for the URL used to
access the website that is associated with it.
Application Service (CRMAppPool IIS Application
Pool identity)
- Member of the Active Directory Domain Users group.
- Member of the Active Directory Performance Log Users
group.
- Folder read and write permission on the Trace and
CRMWeb folders, by default located under \Program Files\Microsoft
Dynamics CRM\, and user account %AppData% folder on the local
computer.
- Read and write permission to the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM and
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MSCRMSandboxService
subkeys in the Windows Registry.
- CRM_WPG group membership. This group is used for IIS worker
processes. The group is created and the membership is added during Microsoft
Dynamics CRM Server Setup.
- The service account may need an SPN for the URL used to
access the website that is associated with it.
IIS Application Pool identities running under
Kernel-Mode authentication and SPNs
By default, IIS 7.0 and IIS 7.5 Web sites are configured to use
Kernel-Mode authentication. When you run the Microsoft Dynamics CRM website by
using Kernel-Mode authentication, you may not need configure additional Service
Principal Names (SPNs) for the CRMAppPool identities.
To determine whether your IIS deployment requires SPNs, see Service Principal Name (SPN) checklist for Kerberos
authentication with IIS
7.0/7.5.
Microsoft Dynamics CRM installation files
If you plan to install Microsoft Dynamics CRM from a location on the
network, such as a network share, you must make sure that the correct
permissions are applied to the folder, preferably on an NTFS volume, where the
installation files are located. For example, you may want to allow only members
of the Domain Admins group permissions for the folder. This practice can help to
reduce the risk of attacks on the installation files that may compromise or
alter them. For more information about how to set permissions on files and
folders on the Windows operating system, see Windows Help. |
|