Home > CRM, Javista, Microsoft, Microsoft Dynamics, Tips and Tricks > Customizing OU User Access in a Hosted Environment

Customizing OU User Access in a Hosted Environment

Sometimes an organization unit (OU) will want to restrict Active Directory (AD) User queries in a hosted environment in CRM 4.0. This allows them more security from external organizations.

In the multi-tenant or hosting environment, all CRM administrators can browse the entire AD structure and add any user to their CRM organization. This presents the following security challenges:

1. CRM administrators are able to see the entire AD structure of the host.

2. CRM administrators are able to see other users in the host’s AD domain and add them to their CRM organization.

A design change was requested to have CRM administrators only see and add the users from their own OU into their CRM organization.

The CRM 4.0 platform has no concept about the user root path for each individual organization in the AD structure. It can always traverse and add the CRM user under the root of the AD domain. So to adjust this to your company’s requirements lets use this example. In a multi-tenant hosting environment, the OUs in an AD could be structured as below:

            Hosting.com (Domain)

                        + OU-A (Org-A)

                                    + User-A1 (User)

                                    + User-A2 (User)

                        + OU-B (Org-B)

                                    + User-B1 (User)

                                    + User-B2 (User)

With the design change, the root path for the CRM organization users is set in the configuration database using the CRM Deployment and Configuration tool. The CRM administrator is restricted to browse, resolve and create the new user under the user root path for their organization.

To set (add/update) the UserRootPath OU-A for organization Org-A, the hosting admin needs to run the tool using this command line:

Microsoft.Crm.DeploymentConfigTool.exe userorgsettings update -organization:Org-A -propertyname:UserRootPath -propertyvalue:LDAP://hosting.com/OU=OU-A;DC=hosting;DC=com

To remove the UserRootPath for organization Org-A, run:

Microsoft.Crm.DeploymentConfigTool.exe userorgsettings update -organization:Org-A -propertyname:UserRootPath

After the UserRootPath OU-A is set the CRM administrator of the organization Org-A can only see and add the user under the path such as User-A1 and User-A2. After the UserRootPath is removed, CRM will be restored to its previous state based on the default V4 design, the CRM admin can see and add the users from the entire AD structure.

Here are the steps for the host admin to set the CRM server to restricting the CRM administrator’s access to their own organization:

1. Install Update Rollup 4 or later onto your CRM server.

2. Download the CRM Deployment and Configuration tool to CRM server.

3. Run the tool to add the UserRootPath in AD to the specific organization.

4. Restart IIS.

Now the CRM administrators can only view and add users in their UserRootPath that is set for their organization in AD.

More Information:

This change is available in CRM 4.0 Update Release 4 or newer. You can download UR 4 here: http://support.microsoft.com/kb/968176.

The CRM Deployment and Configuration tool can be downloaded here: http://support.microsoft.com/kb/949079.


Chris Xia

  1. July 10, 2013 at 5:29 am

    Wonderful blog! I found it while surfing around on Yahoo News.
    Do you have any suggestions on how to get listed in
    Yahoo News? I’ve been trying for a while but I never seem to get there! Thank you

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: