Various operation of CRM may fail when the CRMAppPool account is configured as a CRM user.

  • Data Import may fail

  • CRM Outlook Clients may not configure

  • Async Operations may have unexpected behaviour including Workflows stopping with a Failed status

  • No users can access CRM

  • IFD access may fail for some or all users

  • Date/Time fields may not display correct timezone offset


The CRMAppPool account is considered the “SYSTEM” user in CRM. It is not a true user, and shouldn’t be. It is allowed access in CRM through the PrivUserGroup in Active Directory, along with other groups that it is a member of on the CRM server and through internal CRM platform and application code.

Many CRM operations are called through the CRM API's udner the context of the SYSTEM user account. If the CRMAppPool user account is a CRM user these calls will run under the context of the CRM user and not the SYSTEM user and could fail to execute in various parts of CRM described in the Symptoms section.

Once this user is created it may cause various problems if the following is not met:

  • The user has been disabled

  • The user has not been granted a security role

  • The role does not contain all privileges to complete various operations including hidden roles


  1. Resolution 1: Change the CRMAppPool user account to a new Active Directory user account.

  2. Resolution 2: Change the CRM user to a new Active Directory user account which is not tied to any CRM services.

More Information

Please refer to the CRM Implementation Guide for setting up service accounts.

  • We strongly recommend that you select a low-privilege domain account that is dedicated to running these services and is not used for any other purpose. Additionally, the user account that is used to run a Microsoft Dynamics CRM service cannot be a Microsoft Dynamics CRM user. This domain account must be a member of the Domain Users group. Additionally, if the Asynchronous Service and Sandbox Processing Service roles are installed, such as in a Full Server or a Back End Server installation, the domain account must a member of the Performance Log Users security group.

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

What affected your experience?

Thank you for your feedback!