Have you tried to locate the Active Directory security groups that belong to your Dynamics CRM deployment only to find results like this?
First off, why would you ever get results like this? Dynamics CRM 2011 installs 4 Active Directory Security Groups (PrivReportingGroup, SQLAccessGroup, ReportingGroup and PrivUserGroup) by default per deployment. Some people think this is per organization, but that is not correct. No matter how many organizations you have in a CRM deployment, you will only have 4 security groups per deployment in CRM 2011. So, you could have this many groups because you have several CRM deployments installed in this domain. CRM 4.0 also used similar AD security group names, so there may be some left over from old 4.0 deployments or even failed CRM server installation attempts. When you un-install CRM, we do not delete the AD security groups that we create, so I have seen customer’s with orphaned security groups because of that reason as well.
Regardless of why you may have so many, you might want to find out which belong to a specific CRM deployment, or just want to do some clean up in Active Directory. Disclaimer: Make sure you are absolutely positive you do not need the groups before deleting them!
Run this query against any Organization database in the deployment you want to identify AD security group names for:
select ReportingGroupName, SqlAccessGroupName, PrivReportingGroupName from Organization
This will return something like this:
Note: We do not list the PrivUserGroup name in this table, but it should have the same GUID.
Now you can search in Active Directory and locate the AD security groups that belong to your CRM deployment.
From there you can either move the security groups into a specific Organizational Unit for better organization, or rename them to something that you can easily identify. These groups are tied back to CRM by GUID, so you can move or rename them without issues.
Scenario: What if you renamed your security groups or use pre-created groups for your CRM 2011 server install? In that case you have a bit more work to do, but Sean McNellis covered that in a previous blog post.
Hopefully this information helps to answer the question of which Active Directory security groups belong to your deployment and allows you to do some clean up of old groups in Active Directory.
As always our PFE team is ready to help if you need the assistance. In addition, we have a plethora of other services we offer such as developer training, admin workshops, and code reviews. If you would like to have another Microsoft PFE or I visit your company and assist with the ideas presented on our blog, contact your Microsoft Premier Technical Account Manager (TAM) for booking information. For more information about becoming a Microsoft Premier customer email PremSale@microsoft.com, tell them CRMInTheField or I sent you.
Thanks! Shawn Dieken
Microsoft Premier Field Engineer
Used this today, thanks for the post! I'll be clearing out many orphaned groups after our AD migrations are completed.
Awesome - That's what we like to hear Pete! Let us know if there are any other areas you'd like to see on the blog by using our "Email the blog author" link.