Minimum permissions required for installing Microsoft dynamics CRM 2015 , 2016 

As some of the organization System admin team don't give permission easily as per there security policies and we need to provide them a doc mentioning minimum permission required for installing Microsoft dynamics CRM,

Below info assumes the all Server roles are installed on the same server .

There are two option we can follow for installing Microsoft dynamics CRM

  1. If System admin team refuse request to give Read , write permission on Organization Unit (OU) : Pre-create Active directory security group and use those while installing Microsoft dynamics CRM
  2. Setup program creates the Active Directory security groups when you install Microsoft Dynamics CRM

1. Setup program creates the Active Directory security groups when you install Microsoft Dynamics CRM.



  • Add the user account of the user who is installing Microsoft Dynamics CRM as a member of the local administrator group. To do this, follow these steps on the Microsoft Dynamics CRM server and on the computer that is running Microsoft SQL Server:
    1. Log on to the server as a user who has local administrator permissions.
    2. Click Start, point to Administrative Tools, and then click Computer Management.
    3. Expand System Tools.
    4. Expand Local Users and Groups.
    5. Click Groups.
    6. Right-click Administrators, and then click Properties.
    7. To add the account of the user who is installing Microsoft Dynamics CRM, click Add.
  • If SQL Server Reporting Services (SSRS) is installed on a server other than the server on which you added permissions in step 1, you must add the Content Manager role at the root level for the installing user account. And, you must add the System Administrator role at the site-wide level for the installing user account. To do this, follow these steps on the Reporting Services server:
    1. Start Windows Internet Explorer, and then locate the following site:
      http://srsserver/reports
    2. On the Properties tab, click New Role Assignment.
    3. In the Group or user name box, type the user name of the user who is installing Microsoft Dynamics CRM, click to select the Content Manager check box, and then click OK.

      Note Use the following format when you type the user name:
      domainname\username
    4. Click Site Settings.
    5. Under Security, click Configure site-wide security, and then click New Role Assignment.
    6. In the Group or user name text box, type the user name of the user who is installing Microsoft Dynamics CRM, click to select the System Administrator check box, and then click OK.

      Note Use the following format when you type the user name:
      domainname\username
  • For the user account of the user who is installing Microsoft Dynamics CRM, add the following permissions to the organizational unit (OU) in the Active Directory directory service. You must do this step for the OU to which you select to install during the installation of Microsoft Dynamics CRM 4.0.

    Permissions
    • Read
    • Create All Child Objects
    Advanced permissions
    • Read Permissions
    • Modify Permissions
    • Read Members
    • Write Members
    To add the permissions, follow these steps:
    1. Log on to the domain controller server as a user who has domain administrator permissions.
    2. Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
    3. On the View menu, click Advanced Features.
    4. In the navigation pane, find the OU that you want to use for the Microsoft Dynamics CRM installation. To do this, expand the tree to the node that contains the security group.
    5. Right-click the security group, click Properties, and then click the Security tab.
    6. In the Group or user names list, click the user account of the user who is installing Microsoft Dynamics CRM if the account is listed. If the account is not listed, click Add to add the user account.
    7. In the Allow column, click to select the check box for the Create All Child Objectspermission.

      Note By default, the Allow check box is selected for the Read permission.
    8. Click Advanced.
    9. In the Permission entries list, click Add, select the user account of the user who is installing Microsoft Dynamics CRM, and then click OK.
    10. In the Apply onto list, click Group objects.
    11. In the Allow column, click to select the following check boxes:
      • Read Permissions
      • Modify Permissions
    12. Click the Properties tab.
    13. In the Apply onto list, click Group objects.
    14. In the Allow column, click to select the following check boxes:
      • Read Members
      • Write Members
    15. Click OK three times.
  • Install Microsoft Dynamics CRM.

  • 2.Pre-create Active directory security group and use those while installing Microsoft dynamics CRM

    1. Create the following security groups in Active Directory:
      • PrivUserGroup
      • PrivReportingGroup
      • ReportingGroup
      • SQLAccessGroup
      • UserGroup
      To create the security groups in Active Directory, follow these steps:
      1. Log on to the domain controller server as a user who has domain administrator permissions.
      2. Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
      3. Expand the "Active Directory Users and Computers" tree to the root of the domain or to the specific organizational unit (OU) that you want to use to install Microsoft Dynamics CRM.
      4. Right-click the domain root or the OU that you want to use, click New, and then click Group.
      5. In the Group Name field, type the name of the group. For example, type PrivUserGroup.
      6. If the domain functional level is Windows Server 2003 or Microsoft Windows 2000 native, click Domain local in the Group scope list. If the domain functional level is Windows 2000 mixed, click Global in the Group scope list.
      7. Click OK.
      8. Repeat steps 1d through 1g earlier in this section to create each security group.
    2. Add the user account of the user who is installing Microsoft Dynamics CRM as a member of the Local Administrator group. You must complete this step on the computer that is running the Microsoft Dynamics CRM server and on the computer that is running SQL Server.
      1. Log on to the server as a user who has local administrator permissions.
      2. Click Start, click Administrative Tools, and then click Computer Management.
      3. Expand System Tools, expand Local Users and Groups, and then expand Groups.
      4. Right-click Administrators, and then click Properties.
      5. To add the user account of the user who is installing Microsoft Dynamics CRM, click Add, and then click OK.
    3. If SQL Server Reporting Services (SSRS) is installed on a server other than the server on which you added permissions in step 1, add the Content Manager role at the root level for the installing user account. Then, add the System Administrator Role at site-wide level for the installing user account. To do this, follow these steps on the server that is running Reporting Services:
      1. Start Internet Explorer, and then locate the following site:
        http://srsserver/reports
      2. Click the Properties tab, and then click New Role Assignment.
      3. In the Group or user name box, type the name of the user who is installing Microsoft Dynamics CRM, click to select the Content Manager check box, and then click OK.

        Note Use the following format when you type the user name:
        domainname\username
      4. Click Site Settings.
      5. Under Security, click Configure site-wide security, and then click New Role Assignment.
      6. In the Group or user name box, type the name of the user who is installing Microsoft Dynamics CRM, click to select the System Administrator check box, and then click OK.

        Note Use the following format when you type the user name:
        domainname\username
    4. If you want Microsoft Dynamics CRM to manage the Microsoft Dynamics CRM security groups that are created during the installation, add the following permissions to the security groups that you created in step 1 earlier in this section:

      Permissions
      • Read
      • Write
      • Add/Remove self as member
      Advanced permissions
      • List Contents
      • Read All Properties
      • Write All Properties
      • Read Permissions
      • Modify Permissions
      • All Validated Writes
      • Add/Remove self as member
      To add the permissions, follow these steps for each security group that you created in step 1 earlier in this section:
      1. Log on to the domain controller server as a user who has domain administrator permissions.
      2. Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
      3. On the View menu, click Advanced Features.
      4. In the navigation pane, expand the tree to the security group, right-click the security group, click Properties, and then click the Security tab.
      5. In the Group or user names list, click the user account of the user who is installing Microsoft Dynamics CRM if the account is listed. If the account is not listed, click Add to add the user account.
      6. In the Allow column, click to select the check box for the Write permission. This action causes the system to automatically select the check box for the Add/Remove self as member permission.

        Note By default, the Allow check box is selected for the Read permission.
      7. Click Advanced.
      8. In the Permission entries list, click the user account of the user who is installing Microsoft Dynamics CRM, and then click Edit.
      9. Click to select the Modify Permissions check box in the Allow column.
      10. Click OK three times.
      Notes
      • By default, the following permissions are set to Allow:
        • List Contents
        • Read All Properties
        • Write All Properties
        • Read Permissions
        • All Validated Writes
        • Add/Remove self as member
      • If you will turn off Auto Group Management for the installation, you do not have to complete step 4.
      • For more information about Auto Group Management, see the "Auto Group Management options" section.
    5. When you first log on to Microsoft Dynamics CRM, and every time that a user is added to Microsoft Dynamics CRM, you must complete the following actions:
      • To log on, use a user account that has the necessary rights.
      • Manually add the users and the computers to the appropriate security groups.
    6. To use the pre-created Active Directory security groups, create a configuration file to point to Microsoft Dynamics CRM. To do this, create an XML configuration file that uses the syntax that is in the following example. Modify the variables as appropriate. The list that follows the sample code describes how to modify the variables that are in this example.

      In the following sample code, the XML file is named Config_precreate.xml. The domain name is microsoft.com. These names represent the actual names that you use. The Active Directory hierarchy is as follows:
      • root domain
        • Company Name OU
          • Company Name OU
      Sample code


      <CRMSetup>
         <Server>
              <Groups AutoGroupManagementOff="true">
                  <PrivUserGroup>CN=PrivUserGroup,OU=Company Name,OU=Company Name,DC=<domain>,DC=<domain_extension></PrivUserGroup>
                <SQLAccessGroup>CN=SQLAccessGroup,OU=Company Name,OU=Company Name, DC=<domain>,DC=<domain_extension></SQLAccessGroup>
                  <UserGroup>CN=UserGroup,OU=Company Name,OU=Company Name,DC=<domain>,DC=<domain_extension></UserGroup>
                  <ReportingGroup>CN=ReportingGroup,OU=Company Name,OU=Company Name, DC=<domain>,DC=<domain_extension></ReportingGroup>
       <PrivReportingGroup>CN=PrivReportingGroup,OU=Company Name,OU=Company Name, DC=<domain>,DC=<domain_extension></PrivReportingGroup>
        </Groups>
          </Server>
      </CRMSetup>
      
      Modify the parameters in the example by using the following replacement values:
      • PrivUserGroup: The name of the PrivUserGroup security group
      • SQLAccessGroup: The name of the SQLAccessGroup security group
      • UserGroup: The name of the UserGroup security group
      • ReportingGroup: The name of the ReportingGroup security group
      • PrivReportingGroup: The name of the ReportingGroup security group
      • domain: The domain name
      • domain_extension: The domain extension
      Note For more information about all the configuration file parameters and samples, see the implementation guide.
    7. Run the Microsoft Dynamics CRM server installation. To do this, click Start, click Run, type C:\ServerSetup.exe /config C:\configprecreate.xml in the Open box, and then click OK.

      Notes
      • "C:\ServerSetup.exe" refers to the path of the ServerSetup.exe file on the installation medium.
      • "C:\configprecreate.xml" refers to the name and the path of the configuration file that was created.
    Now need to set AutoGroupManagementOff = "False"  

    For More info please refer :  KB article 946677