Administrators can unexpectedly view Active Directory users who do not belong to the administrator's organizational unit in Microsoft Dynamics CRM 4.0

Article ID: 959549 - View products that this article applies to.
Expand all | Collapse all

On This Page

SYMPTOMS

Consider the following scenario. You are an administrator of an organizational unit (OU) in Microsoft Dynamics CRM 4.0. This OU is in an Internet-Facing Deployment (IFD) that has multiple organizations. In this scenario, you can unexpectedly view the whole Active Directory structure. Therefore, you can view Active Directory users even if they belong to another OU.
Back to the top | Give Feedback

RESOLUTION

This problem is fixed in Update Rollup 2 for Microsoft Dynamics CRM 4.0.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
959419
(http://support.microsoft.com/kb/959419/ )
Update Rollup 2 for Microsoft Dynamics CRM 4.0 is available

Installation information

After you install Update Rollup 2 for Microsoft Dynamics CRM 4.0, you must perform the required configuration. To do this, follow these steps:
  1. Obtain the latest Microsoft Dynamics CRM Deployment Configuration tool. To do this, visit the following Microsoft Web site:
    http://www.microsoft.com/downloads/details.aspx?FamilyID=6e211231-30fe-4df2-9b81-15cfb87adcf1
    (http://www.microsoft.com/downloads/details.aspx?FamilyID=6e211231-30fe-4df2-9b81-15cfb87adcf1)
  2. For each organization in which you want to restrict Active Directory searches, run the following command to set the root of any search:
    Microsoft.Crm.DeploymentConfigTool.exe userorgsettings update -organization:<ORG_NAME> -propertyname:UserRootPath -propertyvalue:LDAP://<DOMAIN_NAME>/OU=<ORG_OU>;DC=<DOMAIN>;DC=<DOMAIN_SUFFIX>
    Notes
    • In this command, the <ORG_NAME> placeholder represents the actual name of the Microsoft Dynamics CRM organization.
    • The <DOMAIN_NAME> placeholder represents the actual fully qualified domain name. For example, the <DOMAIN_NAME> placeholder may be "microsoft.com."
    • The <ORG_OU> placeholder represents the actual organizational unit in the Active Directory structure that you want searches for the organization to start from.

      Note Multiple organizational unit levels may require an "OU=<ORG_OU>" parameter for each organizational unit that begins from the lowest level.
    • The <DOMAIN> placeholder represents the first part of the domain name. For example, the <DOMAIN> placeholder may be "microsoft."
    • The <DOMAIN_SUFFIX> placeholder represents the domain suffix. For example, the <DOMAIN_SUFFIX> placeholder may be "com."
Back to the top | Give Feedback

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Back to the top | Give Feedback

MORE INFORMATION

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684
(http://support.microsoft.com/kb/824684/LN/ )
Description of the standard terminology that is used to describe Microsoft software updates
For more information about Microsoft Business Solutions CRM software hotfix and update package terminology, click the following article number to view the article in the Microsoft Knowledge Base:
887283
(http://support.microsoft.com/kb/887283/ )
Microsoft Business Solutions CRM software hotfix and update package naming standards
Back to the top | Give Feedback

Properties

Article ID: 959549 - Last Review: March 19, 2009 - Revision: 1.0
APPLIES TO
  • Microsoft Dynamics CRM 4.0
Keywords: 
kbfix kbexpertiseinter kbsurveynew kbmbsmigrate kbqfe KB959549
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top