Security groups required by Microsoft Dynamics CRM 2013

Microsoft Dynamics CRM uses several security groups in Active Directory.

Security Group Account used for
PrivUserGroup
  • Application Service
  • Asynchronous Processing Service
  • Deployment Service
  • VSS Writer Service
  • SQL Server Service (instance used for CRM) See Note 1
  • Computer where the Email Router Service is installed
PrivReportingGroup
  • SQL Server Reporting Services (instance used for CRM)
ReportingGroup
  • All CRM user accounts (including the user account that ran the installation)
SQLAccessGroup
  • Application Service
  • Asynchronous Processing Service
  • Deployment Service
  • Monitoring Service
  • VSS Writer Service

Some of the service names shown during CRM Setup are used in more than one place as shown in the following table.

Service Name shown during Setup Where used
Application Service
  • Web Application Service (CRMAppPool Application Pool identity)
  • Microsoft Dynamics CRM Unzip Service
Asynchronous Processing Service
  • Microsoft Dynamics CRM Asynchronous Processing Service
  • Microsoft Dynamics CRM Asynchronous Processing (maintenance) Service
Deployment Web Service
  • Deployment Web Service (CRMDeploymentServiceAppPool Application Pool identity)
Monitoring Service
  • Microsoft Dynamics CRM Monitoring Service
Sandbox Processing Service See Note 2
  • Microsoft Dynamics CRM Sandbox Processing Service
VSS Writer Service
  • Microsoft Dynamics CRM VSS Writer Service

 

Notes

  1. Early versions of the Implementation Guide show the SQL Server Service account as belonging to the SQLAccessGroup. My experience is that the SQL Server Service account is added to the PrivUserGroup.
  2. The Sandbox Processing Service is not added to any of the CRM security groups.
  3. For the NetworkService or LocalSystem accounts, specify the computer account. 

 

CRM Topics: 
CRM Versions: