Microsoft Dynamics 365 Blog

Sometimes an organization unit (OU) will want to restrict Active Directory (AD) User queries in a hosted environment in CRM 4.0. This allows them more security from external organizations.

In the multi-tenant or hosting environment, all CRM administrators can browse the entire AD structure and add any user to their CRM organization. This presents the following security challenges:

1. CRM administrators are able to see the entire AD structure of the host.

2. CRM administrators are able to see other users in the host’s AD domain and add them to their CRM organization.

A design change was requested to have CRM administrators only see and add the users from their own OU into their CRM organization.

The CRM 4.0 platform has no concept about the user root path for each individual organization in the AD structure. It can always traverse and add the CRM user under the root of the AD domain. So to adjust this to your company’s requirements lets use this example. In a multi-tenant hosting environment, the OUs in an AD could be structured as below:


                        + OU-A (Org-A)

                                    + User-A1 (User)

                                    + User-A2 (User)

                        + OU-B (Org-B)

                                    + User-B1 (User)

                                    + User-B2 (User)

With the design change, the root path for the CRM organization users is set in the configuration database using the CRM Deployment and Configuration tool. The CRM administrator is restricted to browse, resolve and create the new user under the user root path for their organization.

To set (add/update) the UserRootPath OU-A for organization Org-A, the hosting admin needs to run the tool using this command line:

Microsoft.Crm.DeploymentConfigTool.exe userorgsettings update -organization:Org-A -propertyname:UserRootPath -propertyvalue:LDAP://;DC=hosting;DC=com

To remove the UserRootPath for organization Org-A, run:

Microsoft.Crm.DeploymentConfigTool.exe userorgsettings update -organization:Org-A -propertyname:UserRootPath

After the UserRootPath OU-A is set the CRM administrator of the organization Org-A can only see and add the user under the path such as User-A1 and User-A2. After the UserRootPath is removed, CRM will be restored to its previous state based on the default V4 design, the CRM admin can see and add the users from the entire AD structure.

Here are the steps for the host admin to set the CRM server to restricting the CRM administrator’s access to their own organization:

1. Install Update Rollup 4 or later onto your CRM server.

2. Download the CRM Deployment and Configuration tool to CRM server.

3. Run the tool to add the UserRootPath in AD to the specific organization.

4. Restart IIS.

Now the CRM administrators can only view and add users in their UserRootPath that is set for their organization in AD.

More Information:

This change is available in CRM 4.0 Update Release 4 or newer. You can download UR 4 here:

The CRM Deployment and Configuration tool can be downloaded here:


Chris Xia

We're always looking for feedback and would like to hear from you. Please head to the Dynamics 365 Community to start a discussion, ask questions, and tell us what you think!