What kind of service account should we choose to set up MS CRM?

What kind of service account should we choose?

When we specify an identity to run a Microsoft Dynamics CRM service, we can choose either a domain user account or the Network Service account.  According to me the better option is to always choose Domain Account.

If the service interacts with network services, accesses domain resources like file shares or if it uses linked server connections to other computers, we can use a minimally-privileged domain account.

The Network Service account is a built-in account that has more access to resources and objects than members of the Domain Users group. Services that run as the Network Service account access network resources by using the credentials of the computer account in the format <domain_name>\<computer_name>$. The actual name of the account is NT AUTHORITY\NETWORK SERVICE.

Advantage to use: In distributed environment it’s very easy to give privilege to Domain user account & to get the access on network resources.

Minimum permissions required for Microsoft Dynamics CRM Setup and services

Microsoft Dynamics CRM is designed so that its features can run under separate identities. By specifying a domain user account that is granted only the permissions necessary to enable a particular feature to function, you help secure the system and reduce the likelihood of exploitation.

Microsoft Dynamics CRM Server Setup

The user account used to run Microsoft Dynamics CRM Server Setup that includes the creation of databases requires the following minimum permissions:

• Be a member of the Active Directory Domain Users group. By default, Active Directory Users and Computers add new users to the Domain Users group.
• Be a member of the Administrators group on the local computer where Setup is running. (Currently: Added by Wintel team)
• Have Local Program Files folder read and write permission.
• Be a member of the Administrators group on the local computer where the instance of SQL Server is located that will be used to store the Microsoft Dynamics CRM databases.
• Have sysadmin membership on the instance of SQL Server that will be used to store the Microsoft Dynamics CRM databases.
• Have organizational unit and security group creation permission in Active Directory. Alternatively, you can use a Setup XML configuration file to install Microsoft Dynamics CRM Server when security groups have already been created.
• If Microsoft SQL Server Reporting Services is installed on a different server, you must add the Content Manager role at the root level for the installing user account. You must also add the System Administrator Role at the site-wide level for the installing user account.

• If CRMAPP POOL or MS Dynamics CRM services are running under NT AUTHORITY\NETWORK SERVICE (means computer name account) account then we needs to add the machine name in all 4 groups of the AD.
• However if CRMAPOOL or MS Dynamics CRM services are running under some domain service account then we need to add that domain account in all 4 groups and give minimum privileges to that domain account service account.

Note: The service account that we used to install CRM and the account that we are using to run CRM App Pool should not be same. Otherwise CRM can face unpredictable authentication problem.             (OR we can say in others words)                                                  

Microsoft Dynamics CRM services and application pool identity accounts must not be configured as a Microsoft Dynamics CRM user. Doing so can cause authentication issues and unexpected behavior in the application for all Microsoft Dynamics CRM users.

Microsoft Dynamics CRM services and IIS application pool identity permissions

This section lists the minimum permissions that domain user accounts require for the services and the IIS application pools that Microsoft Dynamics CRM uses.

•     Microsoft Dynamics CRM services and application pool (CRMAppPool) identity accounts must not be configured as a Microsoft Dynamics CRM user. Doing so can cause authentication issues and unexpected behavior in the application for all Microsoft Dynamics CRM users. (Currently: In our case we are running IIS CRMAppPool under Network Service account).

Microsoft Dynamics CRM Sandbox Processing Service (Working: Handles the processing of isolated plugins)

• Domain Users membership. 
• That account must be granted the Logon as service permission in the Local Security Policy.
• Folder read and write permission on the Trace, by default located under \Program Files\Microsoft Dynamics CRM\Trace, and user account %AppData% folders on the local computer.
• Read permission to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM subkey in the Windows registry.
• The service account may need an SPN for the URL used to access the website that is associated with it. To set the SPN for the Sandbox Processing Service account, run the following command at a command prompt on the computer where the service is running.SETSPN –a MSCRMSandboxService/<ComputerName> <service account>

Microsoft Dynamics CRM Asynchronous Processing Service and Microsoft Dynamics CRM Asynchronous Processing Service (maintenance) services (Working: Handles the processing of queued Asynchronous Events)

• Domain Users membership.
• PrivUserGroup and SQLAccessGroup membership. By default, these groups are created and appropriate membership is granted during Microsoft Dynamics CRM Server Setup.
• Built-in local group Performance Log Users membership.
• That account must be granted the Logon as service permission in the Local Security Policy.
• Folder read and write permission on the Trace folder, by default located under \Program Files\Microsoft Dynamics CRM\, and user account %AppData% folder on the local computer.
• Read and write permission to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM andHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSCRMSandboxService subkeys in the Windows registry.
• The service account may need an SPN for the URL used to access the website that is associated with it. To set the SPN for the Asynchronous Service account, run the following command at a command prompt on the computer where the service is running.SETSPN –a MSCRMAsyncService/<ComputerName> <service account>

Microsoft Dynamics CRM Monitoring Service (MS CRM 2015) (Working: service that monitors all Microsoft Dynamics CRM Server roles running on the local computer)

• Domain Users membership.
• That account must be granted the Logon as service permission in the Local Security Policy.
• If the Microsoft Dynamics CRM Monitoring Service is installed with a Front End Server server role, local administrator group membership on the computer where the service is running is required to monitor the web site and application pools.
• Read permission to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM
• SQLAccessGroup membership. By default, this group is created and appropriate membership is granted during Microsoft Dynamics CRM Server Setup.
• The service account may need an SPN for the URL used to access the website that is associated with it.

Microsoft Dynamics CRM VSS Writer service (MS CRM 2015) (Working: Service provides added functionality for backup and restore of Microsoft Dynamics CRM databases through the Volume Shadow Copy Service framework)

• Domain Users membership.
• That account must be granted the Logon as service permission in the Local Security Policy.
• Read permission to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM
• PrivUserGroup and SQLAccessGroup membership. By default, these groups are created and appropriate membership is granted during Microsoft Dynamics CRM Server Setup.

Deployment Web Service (CRMDeploymentServiceAppPool Application Pool identity)

• Domain Users membership.
• That account must be granted the Logon as service permission in the Local Security Policy.
• Local administrator group membership on the computer where SQL Server is running is required to perform organization database operations (such as create new or import organization).
• Local administrator group membership on the computer where the Deployment Web Service is running.
• Sysadmin permission on the instance of SQL Server to be used for the configuration and organization databases.
• Folder read and write permission on the Trace and CRMWeb folders, by default located under \Program Files\Microsoft Dynamics CRM\, and user account %AppData%folder on the local computer.
• Read and write permission to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM andHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSCRMSandboxService subkeys in the Windows registry.
• PrivUserGroup and SQLAccessGroup membership. By default, these groups are created and appropriate membership is granted during Microsoft Dynamics CRM Server Setup.
• CRM_WPG group membership. This group is used for IIS worker processes. The group is created and the membership is added during Microsoft Dynamics CRM Server Setup.
• The service account may need an SPN for the URL used to access the website that is associated with it.