Dynamics Community Forum Thread Details

CRM Services account rights

Hello team.

I've an dynamics crm on-premises and i'm using the services accounts under domain admin group in active directory.
Today the security team was asking why these account are under the domain admin group.

There's an official document referring to service accounts rights and if this accounts should be in these group or can be remove from domain admin group?

I don't remember why i added these accounts in domain admin.

It's a productive environment.

Thanks a lot.

Hey Jonathan.

Most of the information can be checked on https://learn.microsoft.com/en-us/dynamics365/customerengagement/on-premises/deploy/security-considerations-for-microsoft-dynamics-365?view=op-9-1. Not sure why on your particular scenario they were added to "Domain admins", as the recommendation is always "least privilege". Installation does require that the users are added as local administrators on the machines where you're installing. However, these points are interesting:

Managed service accounts (group-managed service accounts (gMSA) or single-managed service accounts) and virtual accounts (NT SERVICE\,<SERVICENAME>) aren't supported for running Dynamics 365 for Customer Engagement services.
Have organizational unit and security group creation and add membership permission to those groups in Active Directory. Alternatively, you can use a Setup XML configuration file to install Dynamics 365 Server when security groups have already been created.

Best regards

Quick Links

Subscribe to this forum!