I received a call from one of my customers where when a Deployment Administrator, that was recently added, was receiving SQL errors when opening the Deployment Manager console. The issue was the new Deployment Administrator did not have rights to the MSCRM_Config database. TechNet has a series of pages, http://technet.microsoft.com/en-us/library/gg197626.aspx, that go through the steps of adding a new Deployment Administrator. Today I’ll walk you through how to create a security group with the proper security privileges to reduce administrative overhead when adding new Deployment Administrators. Here is an overview of what is in the CRM IG and Technet Articles:
Microsoft Dynamics CRM 2011 Deployment Manager is a Microsoft Management Console (MMC) snap-in that system administrators and value-added resellers use to manage Deployment Administrator accounts, organizations, servers, and licenses for Microsoft Dynamics CRM deployments.
NOTE: The Deployment Administrator role is separate from the Microsoft Dynamics CRM user role.
Create a new Active Directory Security group for the CRM Deployment Administrator(s). This group will be used to assign permissions to the systems and security groups necessary to administer fully the CRM organizations in a CRM deployment. Consider naming this group unique to the CRM Deployment, such as CRMDG01Admins.
When you add a Deployment Administrator role to a user, Deployment Manager does not grant the user local administrative rights to the CRM Deployment Administration and database servers. This is required to provision resources properly within the deployment.
The user who creates, modifies, edits, and imports organizations in Microsoft Dynamics CRM must have permissions in the following Microsoft Dynamics CRM security groups in Active Directory:
Note: make sure your various service accounts have the proper group membership, this is documented in our CRM 2011 Setup FAQ, the table in the FAQ is now also listed in the CRM IG.
CRM Deployment Administrator must have permissions to all four Microsoft Dynamics CRM security groups. The specific permissions a deployment administrator must have on the CRM security groups are as follows:
“Advanced” or Detailed Permissions
The Deployment Administrators group you’ve created will allow you to grant the proper permissions on it and in the future you can save time by adding new CRM Deployment admins to the group we’ve created. To setup the proper permissions for members of this security group:
When you add a Deployment Administrator role to a user, Deployment Manager does not add the required permissions on the instance of SQL Server where the Microsoft Dynamics CRM databases are stored. When the user tries to start Deployment Manager, the user might receive an error message that says, "Unable to access the MSCRM_CONFIG database. SQL Server does not exist or access denied." To resolve this issue, you must add the user to SQL log-ins by using Reporting Services. For the new deployment administrator to manage CRM organizations created by other deployment administrators, he or she must be granted db_owner permissions to those databases, or be assigned the sysadmin server role to manage all databases.
You can add the Deployment Administrator using the either the Microsoft Management Console (MMC) or using a PowerShell Script
Add a Deployment Administrator Using MMC
In the console tree, right-click Deployment Administrators, and then click New Deployment Administrator.
In the Select User dialog box, in the Enter object name to select box, type the name of a user, who must exist in Active Directory, and then click Check Names.
After the user name is accepted, click OK.
To add the Deployment Administrator using PowerShell
The New-CrmDeploymentAdministrator cmdlet adds a new Deployment Administrator to the deployment.
New-CrmDeploymentAdministrator -Name username
New-CrmDeploymentAdministrator -Name username
where: username is the name of the user being given the Deployment Administrator role. It must be in the form domain\username. The user must exist in Active Directory.
New-CrmDeploymentAdministrator -Name contoso\<username> Note: No data will be returned upon successful completion, as the call is asynchronously processed.
To verify that the account was properly created, either open the Deployment Manager and confirm the account is displayed in the Deployment Administrators list, or run the following CRM PowerShell cmdlet and confirm the account specified is found in the Name field: Get-CrmDeploymentAdministrator
Thanks! Walter Grow
Microsoft Premier Field Engineer
Good article, thanks.