HOW TO: Relinking System User to AD User

Sometimes you may find yourself in a situation where a CRM system user record is no longer pointing to your Active Directory user. This broken link basically prevents the user from accessing CRM! Not good! In my experience this occurs due to the infrastructure IT bods not being fully aware of CRM and how it is tied to AD. So while managing AD they may delete users to keep things nice and tidy. While doing this, for example, they may accidentally delete the wrong AD account, recreate it and think everything will be OK, or they may delete someone who has left the business and a few months later the person is recruited back in to the business. I’m sure you can think of other reasons why the link between CRM and AD users might become broken but the effect is always the same… The user can’t access CRM anymore! So lets fix this with an example.

For our example lets say John the IT bod accidentally deleted the wrong Ad account of an active CRM user called Jane. To try and cover up his tracks he quickly recreates the AD user and breathes a sigh of relief that no one noticed what he did. Until Jane starts to complain that she cannot access CRM any more. John = BUSTED! So what can we do to sort this mess out? Heres some steps below

  • Firstly check the CRM record of the broken user and note down the domain and username. Ask the IT bod if the new AD account matches what you have noted down.
  • If it does then ask the IT bod to get the ObjectGUID and the SID for the new AD Account.

Locating the ObjectGUID and SID of an AD Account

There are many ways in which you can get the ObjectGUID and SID. You should always start by asking the guy that looks after AD to get you it. If you can’t do that then heres the method I use to get the values

  • Start Active Directory Module for Windows Powershell.
  • Enter Get-ADUser “USERNAMEHERE
  • You will then see the AD Account details. Note down the ObjectGuid and the SID
AD Details
  • Open up SQL Management Studio and within the Organisation tables that user was a part of, select the SystemUserBase table and choose to edit the rows. Locate the record of the broken user (You can use the Domain Name to identify the correct record). Within the ActiveDirectoryGuid for that record enter the new one the IT bod gave you.
  • Now go to the MSCRM_CONFIG table and using the SystemUser and SystemUserAuthentication tables locate the record thats associated to your broken user within SystemUserAuthentication. Change the AuthInfo to be the new SID you have recorded down.

Job Done! Now Jane will be able to log back into CRM and all her records will be correctly linked to her CRM user. Time to give John a right telling off!

Leave a Reply

Your email address will not be published. Required fields are marked *