Various operation of CRM may fail when the CRMAppPool account is configured as a CRM user.
Data Import may fail
CRM Outlook Clients may not configure
Async Operations may have unexpected behaviour including Workflows stopping with a Failed status
No users can access CRM
IFD access may fail for some or all users
Date/Time fields may not display correct timezone offset
The CRMAppPool account is considered the “SYSTEM” user in CRM. It is not a true user, and shouldn’t be. It is allowed access in CRM through the PrivUserGroup in Active Directory, along with other groups that it is a member of on the CRM server and through internal CRM platform and application code.
Many CRM operations are called through the CRM API's udner the context of the SYSTEM user account. If the CRMAppPool user account is a CRM user these calls will run under the context of the CRM user and not the SYSTEM user and could fail to execute in various parts of CRM described in the Symptoms section.
Once this user is created it may cause various problems if the following is not met:
The user has been disabled
The user has not been granted a security role
The role does not contain all privileges to complete various operations including hidden roles
Resolution 1: Change the CRMAppPool user account to a new Active Directory user account.
Resolution 2: Change the CRM user to a new Active Directory user account which is not tied to any CRM services.
We strongly recommend that you select a low-privilege domain account that is dedicated to running these services and is not used for any other purpose. Additionally, the user account that is used to run a Microsoft Dynamics CRM service cannot be a Microsoft Dynamics CRM user. This domain account must be a member of the Domain Users group. Additionally, if the Asynchronous Service and Sandbox Processing Service roles are installed, such as in a Full Server or a Back End Server installation, the domain account must a member of the Performance Log Users security group.