Overview
Being primarily responsible for our hosted CRM 2011 environment, it has bothered me for some time that the ‘New Multiple Users’ button in CRM 2011 provides our hosted Users access to our Active Directory Domain structure. This potentially includes our hosted client list AND the names of the Users in those Organisations.
In CRM 4.0, it was possible to update a setting to disallow the addition of Users in a specific Organisation. Although an equivalent mechanism exists in CRM 2011, it is accessible only via a direct database update (I am the supported mechanism nazi around here, so I’d rather not go there) – even the Microsoft CRM SDK Team were unable to assist.
Light at the End of the Tunnel
An update to a post on the Dynamics CRM forums this morning pointed me in the direction of a supported mechanism to ensure that our hosted Users will have access only to the specific AD OU in which their CRM Users reside. The post indicates how to affect such an update via direct database update:
http://social.microsoft.com/Forums/en-US/crm/thread/848ea8e6-3bd3-44d5-8363-cdb95a34c0d1
Support Mechanism to Set CRM Organisation Active Directory UserRootPath
The same can be achieved via the following supported code:
Microsoft.Xrm.Sdk.Deployment.DeploymentServiceClient deploymentClient = Microsoft.Xrm.Sdk.Deployment.Proxy.ProxyClientHelper.CreateClient(new Uri("http://<server>:<port>/XRMDeployment/2011/Deployment.svc"));
deploymentClient.ClientCredentials.Windows.ClientCredential = new System.Net.NetworkCredential("<username>", "<password>", "<domain>");
// find org
var organizations = deploymentClient.RetrieveAll(Microsoft.Xrm.Sdk.Deployment.DeploymentEntityType.Organization);
var org = organizations.Where(o => o.Name.Equals("<orgname>")).SingleOrDefault();
// update UserRootPath setting
Microsoft.Xrm.Sdk.Deployment.ConfigurationEntity orgSettings = new Microsoft.Xrm.Sdk.Deployment.ConfigurationEntity
{
Id = org.Id,
LogicalName = "Organization"
};
orgSettings.Attributes = new Microsoft.Xrm.Sdk.Deployment.AttributeCollection();
orgSettings.Attributes.Add(new KeyValuePair<string, object>("UserRootPath", "LDAP://<domain>.<tld>/OU=<ou4>,OU=<ou3>,OU=<ou2>,OU=<ou1>,DC=<domain>,DC=<tld>"));
Microsoft.Xrm.Sdk.Deployment.UpdateAdvancedSettingsRequest reqUpdateSettings = new Microsoft.Xrm.Sdk.Deployment.UpdateAdvancedSettingsRequest
{
Entity = orgSettings
};
Microsoft.Xrm.Sdk.Deployment.UpdateAdvancedSettingsResponse respUpdateSettings = (Microsoft.Xrm.Sdk.Deployment.UpdateAdvancedSettingsResponse)deploymentClient.Execute(reqUpdateSettings);
If you’re not sure what the distinguishedName of the target OU is, you can find it in the Active Directory Users and Computers tool:
Enable Advanced Features
Use Attribute Editor to Locate distinguishedName
Thanks to Neil McD for the inspiration!
Pogo69's Blog 
[…] Edit: Pogo69 from the Microsoft forums has taken this a step further and implemented it in supported code. See his solution here […]
Pingback by Restricting Hosted CRM Users From browsing Active Directory « XRM Rocks — February 16, 2013 @ 20:20
[…] are some unsupported methods as well as supported C# code to achieve the result. Considering that administrator’s language of choice is powershell, […]
Pingback by Tip #144: Restrict AD browsing when adding new users | Dynamics CRM Tip Of The Day — May 29, 2014 @ 10:00
[…] are some unsupported methods as well as supported C# code to achieve the result. Considering that administrator’s language of choice is powershell, […]
Pingback by Tip #144: Restrict AD browsing when adding new users - Dynamics CRM Tip of the Day - Microsoft Dynamics CRM - Microsoft Dynamics Community — June 6, 2014 @ 05:58