Knowledge found and lost while working with Microsoft Dynamics CRM
RSS icon Home icon

  • CRM and Active Directory User Synchronization Consideration

    Posted on November 17th, 2006 mitch Print Print 4 comments

    I ran into an interesting issue at a customer yesterday that I thought may be of interest to everyone.

    Scenario:

    The customer has temporary administrative staff brought in to handle overflow work during peak times.  Instead of creating a unique user name and login for these users, they decided to just create a user called Staff, which would be used for the temp staff.

    This is an excellent practice and one that I've successfully used at many customers. If you have more than one temporary user, just append a number to the login name: Staff1, Staff2, Intern1, Intern2, etc.

    The Problem:

    Instead of creating a new Staff user, they just renamed the account for the last temporary staff user since she already had the necessary security and access privileges.  That is where things went a bit bonkers with CRM.

    The CRM Administrator had Disabled the CRM user for the person who had just left and when she attempted to create the new Staff user, she received an error message informing her that she was attempting to add a user who was already in the system.

    The Cause:

    When CRM adds a user to the CRM system, it also records the Active Directory GUID, which is a unique identifier assigned to each user within the Windows Active Directory.  This information is used to guarantee that we have unique Active Directory ( Windows ) user.

    We were attempting to add a CRM user with a new Active Directory user name, MYSERVER\STAFF, but since we already had a Disabled CRM user with the same Active Directory GUID, the operation failed.

    The Solution ( Supported ):

    If you want to implement such a system, just create a new user, add that user to CRM, and assign security access rights in both Active Directory and CRM.  This is the cleanest method for implementing the solution.

    The Solution ( mostly unsupported, but possibly necessary ):

    In this particular instance, the customer had already started using the new Staff person and since we didn't wish to loose any work they may have already been completed, by creating a new Active Directory user login, I decided to correct the problem by modifying the CRM database directly.

    The first thing I did was to Reactivate the Disabled CRM user and changed the user information to match that of the renamed Staff user.

    As you probably know, you can't change the user's Windows login ID after they have been added to CRM.  Since the old user's ID was MYSERVER\SALLY, and I needed it to be MYSERVER\STAFF, I had to manually update the CRM systemuser table to change the login name from MYSERVER\SALLY to MYSERVER\STAFF for that user. 

    Again, modifying the CRM database directly is unsupported by Microsoft and should be done with extreme care.  You also can't blame me. :)

    Good luck.

    Dynamics CRM
    1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
    Loading ... Loading ...
    982 views

Search

Polls

What CRM feature interests you the most


View Results

Loading ... Loading ...

 

November 2006
S M T W T F S
« Oct   Dec »
 1234
567891011
12131415161718
19202122232425
2627282930  
Powered by WordPress
Designed by My Mobiles