6 Steps to Add a Deployment Administrator in Microsoft Dynamics CRM 2011

I received a call from one of my customers where when a Deployment Administrator, that was recently added, was receiving SQL errors when opening the Deployment Manager console.  The issue was the new Deployment Administrator did not have rights to the MSCRM_Config database.  TechNet has a series of pages, http://technet.microsoft.com/en-us/library/gg197626.aspx, that go through the steps of adding a new Deployment Administrator.  Today I’ll walk you through how to create a security group with the proper security privileges to reduce administrative overhead when adding new Deployment Administrators.  Here is an overview of what is in the CRM IG and Technet Articles:

Microsoft Dynamics CRM 2011 Deployment Manager is a Microsoft Management Console (MMC) snap-in that system administrators and value-added resellers use to manage Deployment Administrator accounts, organizations, servers, and licenses for Microsoft Dynamics CRM deployments.

Important notes:

  • At least one deployment administrator must be defined in each CRM deployment group
  • To run the CRM Deployment Manager and provision tenant organizations, you must be assigned the Deployment Administrator role
  • Deployment Administrators have complete and unrestricted access to perform Deployment Manager tasks on all organizations and servers in a Microsoft Dynamics CRM deployment
  • During Microsoft Dynamics CRM Server Setup, the process automatically assigns the Deployment Administrator role to the user who is running the Setup
  • While you could use the same account, it is recommended that you use separate accounts per CRM deployment group to minimize risk to a security breach
  • Although you should limit the number of Deployment Administrators, the best practice is to enable at least two or three trusted user accounts with this role. This will help prevent potential lockouts that could occur when only using a single account. A second option is to use an additional, separate, service account that would not leave the company and be used to avoid lockout. 

NOTE: The Deployment Administrator role is separate from the Microsoft Dynamics CRM user role.


The following walks you through how to create an AD Group to manage Deployment Administrators privileges:


1: Creating a New CRM Deployment Administrators Security Group in AD

Create a new Active Directory Security group for the CRM Deployment Administrator(s). This group will be used to assign permissions to the systems and security groups necessary to administer fully the CRM organizations in a CRM deployment. Consider naming this group unique to the CRM Deployment, such as CRMDG01Admins.

2: Adding the Deployment Administrators Group as a Local CRM Server Admin

When you add a Deployment Administrator role to a user, Deployment Manager does not grant the user local administrative rights to the CRM Deployment Administration and database servers. This is required to provision resources properly within the deployment.

  1. Log on to CRMDEP01 using an account that is a member of Domain Administrators group.
  2. Add the ContosoCRMDG01Admins group to the local Administrators group.
  3. Repeat this procedure on CRMSQL01


3: Granting CRM Deployment Administrator Permissions to the CRM Active Directory Groups

The user who creates, modifies, edits, and imports organizations in Microsoft Dynamics CRM must have permissions in the following Microsoft Dynamics CRM security groups in Active Directory:

  • PrivReportingGroup {guid}
  • PrivUserGroup {guid}
  • ReportingGroup {guid}
  • SQLAccessGroup {guid}

Note: make sure your various service accounts have the proper group membership, this is documented in our CRM 2011 Setup FAQ, the table in the FAQ is now also listed in the CRM IG.

CRM Deployment Administrator must have permissions to all four Microsoft Dynamics CRM security groups.  The specific permissions a deployment administrator must have on the CRM security groups are as follows:

Basic Permissions

  • Read
  • Write
  • Add/Remove self as member

“Advanced” or Detailed Permissions

  • List Contents
  • Read All Properties
  • Write All Properties
  • Read Permissions
  • Modify Permissions
  • All Validated Writes
  • Add/Remove self as member

The Deployment Administrators group you’ve created will allow you to grant the proper permissions on it and in the future you can save time by adding new CRM Deployment admins to the group we’ve created. To setup the proper permissions for members of this security group:

  1. Log into a computer with Active Directory Users and Computers management console installed 
  2. In Active Directory Users and Computers click the View menu, then check the Advanced Features option
  3. In the left hand navigation expand your domain, for this example: contoso.com.
  4. Click on the organization unit containing the CRM Security groups (as defined during the installation of the first CRM server), The listing pane should display the following CRM security groups:
    • PrivReportingGroup{…}
    • PrivUserGroup{…}
    • ReportingGroup{…}
    • SQLAccessGroup{…}
      *{…} represents the globally unique identifier (GUID) following the group name. The GUID will be unique in every deployment. A representative example group name could be ReportingGroup {4efba72a-232f-44ec-9d95-155eb6ffb1be}
  5. Right-click the PrivReportingGroup security group and then click Properties.
  6. In the Properties dialog box, select the Security tab, and in the Group or user names list, click Add.
  7. In the Enter the object name to select text box, type CRMDG01Admins, click the Check Names button, and then click OK.
  8. With the CRMDG01Admins group selected, click to select the Allow check box for the Write permission. This action causes the system to select automatically the Add/Remove self as member check box.
    • By default, the Allow check box is selected for the Read permission.
  9. Click Advanced.
  10. In the Permission list, select the CRMDG01Admins group, and then click Edit.
  11. Click to select the Allow check box for the Modify Permissions permission.  By default, the Allow check box is selected for the following permissions:
    • List Contents
    • List Object
    • Read All Properties
    • Write All Properties
    • Read Permissions
    • All Validated Writes
    • Add/Remove self as member
  12. Click OK three times.
  13. Repeat the steps in this procedure to grant the CRMDG01Admins permissions to modify the PrivUserGroup, ReportingGroup, and SQLAccessGroup security groups.

4: Grant CRM Deployment Administrators Permissions to CRM SQL Objects

When you add a Deployment Administrator role to a user, Deployment Manager does not add the required permissions on the instance of SQL Server where the Microsoft Dynamics CRM databases are stored. When the user tries to start Deployment Manager, the user might receive an error message that says, "Unable to access the MSCRM_CONFIG database. SQL Server does not exist or access denied." To resolve this issue, you must add the user to SQL log-ins by using Reporting Services. For the new deployment administrator to manage CRM organizations created by other deployment administrators, he or she must be granted db_owner permissions to those databases, or be assigned the sysadmin server role to manage all databases.

  1. Log on to CRMSQL using an account that is a member of Domain Administrators group.
  2. Launch the SQL Server 2008 Management Studio.
  3. On the Connect to Server dialog box, click Connect.
  4. Expand Security.
  5. Right-click Logins and select New Login.
  6. Click the Search button.
  7. In the Select User or Group dialog box, do the following:
    • Click Object Types, and then enable the Groups type.
    • Click Locations, and then select Entire Directory.
  8. Click OK.
  9. In the Enter the object name to select text box, type domain group name (that is, CRMDG01Admins), click the Check Names button, and then click OK.
  10. In the Default database drop-down box, select MSCRM_CONFIG.
  11. From the page list on the left, select Server Roles, enable the sysadmin role for the user, and then click OK.
  12. Expand Databases.
  13. Expand the MSCRM_CONFIG database.
  14. Expand Security.
  15. Right-click Users and then select New User.
  16. In the User name field, type the domain user login name (that is, CRMDG01Admins).
  17. In the Login name field, type ContosoCRMDG01Admins.
  18. In the Database role membership section, select the db_owner check box, and then click OK.
  19. Close the SQL Server 2008 Management Studio.

5: Adding Domain User Account to CRM Deployment Administrators Group

  1. Verify that a domain user account exists for the new deployment administrator. If it does not, create a new account.
  2. Add the new user to the previously created CRMDG01Admins group. Also, ensure this account is also member of the Domain Users group.

6: Add the User as a CRM Deployment Administrator in CRM Deployment Manager

You can add the Deployment Administrator using the either the Microsoft Management Console (MMC) or using a PowerShell Script

Add a Deployment Administrator Using MMC

In the console tree, right-click Deployment Administrators, and then click New Deployment Administrator.

In the Select User dialog box, in the Enter object name to select box, type the name of a user, who must exist in Active Directory, and then click Check Names.

After the user name is accepted, click OK.

To add the Deployment Administrator using PowerShell

The New-CrmDeploymentAdministrator cmdlet adds a new Deployment Administrator to the deployment.


New-CrmDeploymentAdministrator -Name username

where: username is the name of the user being given the Deployment Administrator role. It must be in the form domainusername. The user must exist in Active Directory.

  1. Logon to the CRM server with the Deployment Administrator role, such as CRMDEP01, using the account used to install CRM services.
  2. Launch an administrative Windows PowerShell command window from the quick launch bar, or from the Start menu under Program Files, Accessories, Windows PowerShell, and then Windows PowerShell.
  3. In the Windows PowerShell command window, execute the following commands:

    Add-PSSnapin Microsoft.Crm.PowerShell

    New-CrmDeploymentAdministrator -Name contoso<username>
    Note: No data will be returned upon successful completion, as the call is asynchronously processed.

  4. To verify that the account was properly created, either open the Deployment Manager and confirm the account is displayed in the Deployment Administrators list, or run the following CRM PowerShell cmdlet and confirm the account specified is found in the Name field: Get-CrmDeploymentAdministrator


Walter Grow

Microsoft Premier Field Engineer

Comments (3)

  1. Daniel Biener says:

    Good article, thanks.

  2. CRM 2011 installation says:

    While installing CRM trial instance in the precheck list page. I am getting the following error have given all the permissions mentioned in the planning guide but still the setup fails.

    In the event vierwer I have seen two audit failures :

    Please advise accordingly:

    14:38:03|  Error| Check AspNetServiceAccountCanMonitorPerfCountersValidator : Failure: Logon failure: unknown user name or bad password.

    14:38:03|  Error| Check AsyncServiceAccountCanMonitorPerfCountersValidator : Failure: Logon failure: unknown user name or bad password.

  3. Sun Ayo says:

    Great and extremely useful article to read very helpful…..Many thanks,

Skip to main content