Defining GPO for Dynamics 365

Tags

To install Dynamics 365 platform it is a good practice to have a well-defined Organization Unit (OU) in the Active Directory domain. The different OU’s that can be created in AD structure include the following:

Service Accounts : Listing the various service accounts that will be used for the various CRM platform roles, SQL Server, SSRS, Active Directory Federation Services (ADFS) etc.
Groups: This will have all of the four groups viz., PrivReportingGroup, PrivUserGroup, ReportingGroup, SqlAccessGroup that are part of the CRM platform
LocalAdmin: This will contain groups that will assign LocalAdmin and SysAdmin permissions to the servers.
RestrictedGroups: This will contain groups that will assing LogonAsService, LogonAsBatch, ImpersonateClient, PerformanceLogUsers.
Servers: Contains the list of servers where the GPO will be applied

With the above requirements, the AD OU group(s) structure in test domain idynamics.dev is as per below:

Capture1

Service Account(s) for CRM platform defined as per below:

With above structure in place we will now go ahead and create Group Policy Objects required:

Open Group Policy Management editor
Create a DB Admin GPO purpose is to have Administrator permissions on SQL Server

Right-click on Group Policy Objects > New and enter the following

Capture7

Now we will associate CRM-DEV-SQL-Administrator group to this GPO to have Administrator permission on the server DEV-CRM.

Right-click on DB Admin GPO and bring up the Edit dialogue window

Capture8

Navigate to Computer Configuration > Policies> Windows Settings > Security Settings> Restricted > Add Group and add CRM-DEV-SQL-Administrator. Configure membership as per the following:

Capture9