Pogo69's Blog

December 21, 2012

Restricting Active Directory Domain Access in a Hosted CRM 2011 Deployment

Filed under: Cutting Code — pogo69 [Pat Janes] @ 10:21

Overview

Being primarily responsible for our hosted CRM 2011 environment, it has bothered me for some time that the ‘New Multiple Users’ button in CRM 2011 provides our hosted Users access to our Active Directory Domain structure.  This potentially includes our hosted client list AND the names of the Users in those Organisations.

multiple_users

In CRM 4.0, it was possible to update a setting to disallow the addition of Users in a specific Organisation.  Although an equivalent mechanism exists in CRM 2011, it is accessible only via a direct database update (I am the supported mechanism nazi around here, so I’d rather not go there) – even the Microsoft CRM SDK Team were unable to assist.

Light at the End of the Tunnel

An update to a post on the Dynamics CRM forums this morning pointed me in the direction of a supported mechanism to ensure that our hosted Users will have access only to the specific AD OU in which their CRM Users reside.  The post indicates how to affect such an update via direct database update:

http://social.microsoft.com/Forums/en-US/crm/thread/848ea8e6-3bd3-44d5-8363-cdb95a34c0d1

Support Mechanism to Set CRM Organisation Active Directory UserRootPath

The same can be achieved via the following supported code:

Microsoft.Xrm.Sdk.Deployment.DeploymentServiceClient deploymentClient = Microsoft.Xrm.Sdk.Deployment.Proxy.ProxyClientHelper.CreateClient(new Uri("http://<server>:<port>/XRMDeployment/2011/Deployment.svc"));
deploymentClient.ClientCredentials.Windows.ClientCredential = new System.Net.NetworkCredential("<username>", "<password>", "<domain>");
// find org
var organizations = deploymentClient.RetrieveAll(Microsoft.Xrm.Sdk.Deployment.DeploymentEntityType.Organization);
var org = organizations.Where(o => o.Name.Equals("<orgname>")).SingleOrDefault();
// update UserRootPath setting
Microsoft.Xrm.Sdk.Deployment.ConfigurationEntity orgSettings = new Microsoft.Xrm.Sdk.Deployment.ConfigurationEntity
{
  Id = org.Id,
  LogicalName = "Organization"
};
orgSettings.Attributes = new Microsoft.Xrm.Sdk.Deployment.AttributeCollection();
orgSettings.Attributes.Add(new KeyValuePair<string, object>("UserRootPath", "LDAP://<domain>.<tld>/OU=<ou4>,OU=<ou3>,OU=<ou2>,OU=<ou1>,DC=<domain>,DC=<tld>"));
Microsoft.Xrm.Sdk.Deployment.UpdateAdvancedSettingsRequest reqUpdateSettings = new Microsoft.Xrm.Sdk.Deployment.UpdateAdvancedSettingsRequest
{
  Entity = orgSettings
};
Microsoft.Xrm.Sdk.Deployment.UpdateAdvancedSettingsResponse respUpdateSettings = (Microsoft.Xrm.Sdk.Deployment.UpdateAdvancedSettingsResponse)deploymentClient.Execute(reqUpdateSettings);

If you’re not sure what the distinguishedName of the target OU is, you can find it in the Active Directory Users and Computers tool:

Enable Advanced Features

AdvancedFeatures

 

Use Attribute Editor to Locate distinguishedName

distinguishedName

Thanks to Neil McD for the inspiration!

Advertisements

3 Comments »

  1. […] Edit: Pogo69 from the Microsoft forums has taken this a step further and implemented it in supported code. See his solution here […]

    Pingback by Restricting Hosted CRM Users From browsing Active Directory « XRM Rocks — February 16, 2013 @ 20:20

  2. […] are some unsupported methods as well as supported C# code to achieve the result. Considering that administrator’s language of choice is powershell, […]

    Pingback by Tip #144: Restrict AD browsing when adding new users | Dynamics CRM Tip Of The Day — May 29, 2014 @ 10:00

  3. […] are some unsupported methods as well as supported C# code to achieve the result. Considering that administrator’s language of choice is powershell, […]

    Pingback by Tip #144: Restrict AD browsing when adding new users - Dynamics CRM Tip of the Day - Microsoft Dynamics CRM - Microsoft Dynamics Community — June 6, 2014 @ 05:58


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: