Background
- CRM 2011 with Rollup 18
- Using an existing CRM 2011 database backup, restore a copy of the database with a new name.
- Import that database using the Deployment Manager to create a new organisation. The small number of existing users were automatically mapped across to the new organisation.
The Problem
When I attempted to login to the organisation I was presented with the following:
I knew the problem wasn’t with the domain account because I could use it to log into other CRM organisations on the same server. I could also login to the newly created organisation with a different domain user; doing this allowed me to confirm that the problem domain account did exist in the list of active users. Something was missing for this user in the new organisation.
The solution
After some digging around I got some pointers to the MSCRM_CONFIG database and the SystemUserOrganizations table, which links your System User to Organisations on your CRM server.
Disclaimer: The steps below interact directly with the CRM databases. If you aren’t familiar with these databases, please do not attempt these steps as many things can go wrong if you make a mistake.
- Find the OrganizationId and SystemUserId from the SystemUserBase table in the Organisation database.
- Use the following query to identify to which Organisations the account is linked;
select sua.AuthInfo ,sua.UserId ,suo.CrmUserId ,suo.OrganizationId from SystemUserAuthentication sua inner join SystemUserOrganizations suo on sua.UserId = suo.UserId where suo.CrmUserId = '<my-systemuserid>' order by suo.OrganizationId, sua.UserId, sua.AuthInfo
- Each Organisation should have two entries, one for the Active Directory SID and one for the CRM username. In my case there were only two entries for the original organisation and none for the newly imported organisation.
- Create the new entry in the SystemUserOrganizations table to link the existing System User to the newly imported Organisation.
insert into SystemUserOrganizations ( CrmUserId ,DirectoryObjectId ,Id ,LastAccessTime ,OrganizationId ,UniqueifierId ,UserId ,IsDeleted ,IsDisabled ,IsLicensed) values ( '<SystemUserId-from-SystemUserBase table>' ,NULL ,NEWID() ,NULL ,'<OrganizationId-from-SystemUserBase table>' ,NULL ,'<UserId-from-SystemUserAuthentication table>' ,0 ,NULL ,NULL)
- The domain account is now able to access the new organisation.