Security groups required by Microsoft Dynamics CRM 2013

7 March 2014 9 June 2022

Microsoft Dynamics CRM uses several security groups in Active Directory.

Security Group	Account used for
PrivUserGroup	Application Service Asynchronous Processing Service Deployment Service VSS Writer Service SQL Server Service (instance used for CRM) ^{See Note 1} Computer where the Email Router Service is installed
		PrivReportingGroup	SQL Server Reporting Services (instance used for CRM)
		ReportingGroup	All CRM user accounts (including the user account that ran the installation)
		SQLAccessGroup	Application Service Asynchronous Processing Service Deployment Service Monitoring Service VSS Writer Service

Some of the service names shown during CRM Setup are used in more than one place as shown in the following table.

Service Name shown during Setup	Where used
Application Service	Web Application Service (CRMAppPool Application Pool identity) Microsoft Dynamics CRM Unzip Service
Asynchronous Processing Service	Microsoft Dynamics CRM Asynchronous Processing Service Microsoft Dynamics CRM Asynchronous Processing (maintenance) Service
Deployment Web Service	Deployment Web Service (CRMDeploymentServiceAppPool Application Pool identity)
Monitoring Service	Microsoft Dynamics CRM Monitoring Service
Sandbox Processing Service ^{See Note 2}	Microsoft Dynamics CRM Sandbox Processing Service
VSS Writer Service	Microsoft Dynamics CRM VSS Writer Service

Notes

Early versions of the Implementation Guide show the SQL Server Service account as belonging to the SQLAccessGroup. My experience is that the SQL Server Service account is added to the PrivUserGroup.
The Sandbox Processing Service is not added to any of the CRM security groups.
For the NetworkService or LocalSystem accounts, specify the computer account.

Leave a Comment Cancel Reply