Customizing OU User Access in a Hosted Environment

Sometimes an organization unit (OU) will want to restrict Active Directory (AD) User queries in a hosted environment in CRM 4.0. This allows them more security from external organizations.

In the multi-tenant or hosting environment, all CRM administrators can browse the entire AD structure and add any user to their CRM organization. This presents the following security challenges:

1. CRM administrators are able to see the entire AD structure of the host.

2. CRM administrators are able to see other users in the host’s AD domain and add them to their CRM organization.

A design change was requested to have CRM administrators only see and add the users from their own OU into their CRM organization.

The CRM 4.0 platform has no concept about the user root path for each individual organization in the AD structure. It can always traverse and add the CRM user under the root of the AD domain. So to adjust this to your company’s requirements lets use this example. In a multi-tenant hosting environment, the OUs in an AD could be structured as below:


                        + OU-A (Org-A)

                                    + User-A1 (User)

                                    + User-A2 (User)

                        + OU-B (Org-B)

                                    + User-B1 (User)

                                    + User-B2 (User)

With the design change, the root path for the CRM organization users is set in the configuration database using the CRM Deployment and Configuration tool. The CRM administrator is restricted to browse, resolve and create the new user under the user root path for their organization.

To set (add/update) the UserRootPath OU-A for organization Org-A, the hosting admin needs to run the tool using this command line:

Microsoft.Crm.DeploymentConfigTool.exe userorgsettings update -organization:Org-A -propertyname:UserRootPath -propertyvalue:LDAP://;DC=hosting;DC=com

To remove the UserRootPath for organization Org-A, run:

Microsoft.Crm.DeploymentConfigTool.exe userorgsettings update -organization:Org-A -propertyname:UserRootPath

After the UserRootPath OU-A is set the CRM administrator of the organization Org-A can only see and add the user under the path such as User-A1 and User-A2. After the UserRootPath is removed, CRM will be restored to its previous state based on the default V4 design, the CRM admin can see and add the users from the entire AD structure.

Here are the steps for the host admin to set the CRM server to restricting the CRM administrator’s access to their own organization:

1. Install Update Rollup 4 or later onto your CRM server.

2. Download the CRM Deployment and Configuration tool to CRM server.

3. Run the tool to add the UserRootPath in AD to the specific organization.

4. Restart IIS.

Now the CRM administrators can only view and add users in their UserRootPath that is set for their organization in AD.

More Information:

This change is available in CRM 4.0 Update Release 4 or newer. You can download UR 4 here:

The CRM Deployment and Configuration tool can be downloaded here:


Chris Xia

Comments (2)

  1. MP says:

    How can that be done globally? Would it be the same effect to disable the "Add User" button?

    The Propertyvalue:


    Let´s say we have a Customer Org which is build with HMC Standards:

    Domain: Activedirectorydomain.something.local




    How would the Propertyvalue then look like?

    I´ve tried different ways, but i can´t get it fixed.

    Thank you


  2. Eric says:

    The problem with the Propertyvalue attrib is it doesn’t like the spaces in the ldap path…add quotes around the ldap path and you are all set:

    -propertyvalue:"LDAP:// A;OU=Hosting;DC=hosting;DC=com"

Skip to main content