1

We have several M$ CRM instances running.
Each one has its own dedicated SQL Server instance.

The permissions are set up in accordance with the Microsoft recommendations for setting up MS CRM.

However, I can't find any documentation regarding minimal required permissions to run CRM.
Currently we have the following two permissions that I would like to remove:

  • CRM app pool user has administrator on the SQL Server machine
  • CRM app pool user has sysadmin on the SQL Server instance

My main concern is that this user is currently grouped in with other service account users when it comes to permissions (and the process for obtaining/changing the password). However it is for all intents and purposes an administrator account.

Does anyone have any prior experience with removing the CRM app pool users' permission after installation?

Arun Vinoth-Precog Tech - MVP
  • 314
  • 1
  • 3
  • 15
Reaces
  • 5,597
  • 4
  • 38
  • 46
  • Have you tried removing the permissions in question and seeing if it runs properly? – GregL Mar 09 '15 at 11:57
  • @GregLinton No, not yet. I currently don't have a DEV machine to play with (it is being used for active development) and I'm mostly trying to find out how far I can go with this before I start. As each action will probably incur a long testing period. – Reaces Mar 09 '15 at 11:59
  • 1
    Right, makes sense. For the SQL portion, maybe run the SQL Server profiler for a while to see what kinds of queries/actions are being taken by the user. That might give you some insights into what it actually needs (is it doing things that only sysadmin can do?). – GregL Mar 09 '15 at 12:10
  • @GregLinton That's not really sustainable for a large farm though. How can I guarantee that, for example, creating a new schedule in CRM, happens while I monitor it? This might be a monthly occurrence, or a one-of at the end of the year. And if I can come up with one example of a rare action that might require more permissions (and I might not catch in monitoring the first week), there are probably 20 I don't know about. That's why I'm looking for first-hand experience or documentation ;) – Reaces Mar 09 '15 at 12:12
  • Sadly I can't actually be of any help in the "first-hand" respect. However I can tell you that our MS CRM databases are sitting a shared SQL cluster, and the DBAs are *very* reluctant to grant local admin or sysadmin access to service accounts, so I suspect it's quite possible. – GregL Mar 09 '15 at 12:48
  • Was my answer useful to you? Please mark it if it was. – Lior Abel Apr 30 '15 at 09:48
  • @LiorAbel I upvoted it, as it is indeed useful. However I'm still a few weeks away from being able to test it (currently at a different assignment). I will revisit and mark as solution when I get to actually implementing it somewhere! – Reaces Apr 30 '15 at 09:50

1 Answers1

1

You should be able to safely remove both permissions for the CRM app pool. However, please take the following into consideration.

First you need to understand why Microsoft and CRM require those permissions. Since the very early days of Microsoft CRM (as far back as 1.2) the installation procedure for CRM was to copy template mdf/ldf to the administrative shares on the SQL server (\server\c$, \server\d$, etc.) and then mount them in SQL. The former operation requires local server admin rights and the latter requires SQL SA rights.

You might think this is complete insanity and wonder why the databases aren't created using a script. My only guess is that it has something to do with the length of time such a database creation would take.

So why am I saying you can safely remove these permissions? Simple!

These permissions are only required during initial installation or whenever you want to add a new organisation to your CRM environment. For normal every day operation they are not required.

Just make sure to add back those permissions every time you need to add a new organisation. In some cases you will also need them added back for CRM server updates but I have not seen that actually required since CRM 4.0.

Lior Abel
  • 61
  • 5