To install Dynamics 365 platform it is a good practice to have a well-defined Organization Unit (OU) in the Active Directory domain. The different OU’s  that can be created in AD structure include the following:


  • Service Accounts : Listing the various service accounts that will be used for the various CRM platform roles, SQL Server, SSRS, Active Directory Federation Services (ADFS) etc.
  • Groups: This will have all of the four groups viz., PrivReportingGroup, PrivUserGroup, ReportingGroup, SqlAccessGroup that are part of the CRM platform
  • LocalAdmin: This will contain groups that will assign LocalAdmin and SysAdmin permissions to the servers.
  • RestrictedGroups: This will contain groups that will assing LogonAsService, LogonAsBatch, ImpersonateClient, PerformanceLogUsers.
  • Servers: Contains the list of servers where the GPO will be applied

With the above requirements, the AD OU group(s) structure in test domain idynamics.dev is as per below:



Service Account(s) for CRM platform defined as per below:


With above structure in place we will now go ahead and create Group Policy Objects required:

  • Open Group Policy Management editorCapture6
  • Create a DB Admin GPO purpose is to have Administrator permissions on SQL Server

Right-click on Group Policy Objects > New and enter the following


Now we will associate CRM-DEV-SQL-Administrator group to this GPO to have Administrator permission on the server DEV-CRM.

Right-click on DB Admin GPO and bring up the Edit dialogue window


Navigate to Computer Configuration > Policies> Windows Settings > Security Settings> Restricted > Add Group and add CRM-DEV-SQL-Administrator.  Configure membership as per the following:



Now that the GPO is defined we will link the above to the computers listed under Server OU


In the Group Policy Management editor right-click on server and Link to an existing GPO



Now logon to the server DEV-CRM and the CRM-DEV-SQL-Administrator group should be published through GPO in the Local Administrator group


Following similar steps create additional GPO’s as per the following table: