Issues new secured deployment:

Eduardo Acosta 0 Reputation points
2026-06-22T15:15:43.0266667+00:00

We are deploying new servers for our On-Premise Dynamics CRM Customer engagement platform. In this new deployment we are following the security considerations regarding minimally privileged CRM services domain accounts.

Security considerations for Dynamics 365 Customer Engagement (on-premises) | Microsoft Learn

 

Setup on Backend, Frontend and Report Server Extensions worked smoothly, but trying to create an organization this error repeats many times on the Backend Event Log

 Sandbox Host - Access Denied.

 Host: PROD-BACK01 

Thanks.

 

Windows for business | Windows Server | Devices and deployment | Set up, install, or upgrade
0 comments No comments

1 answer

Sort by: Most helpful
  1. Chen Tran 11,540 Reputation points Independent Advisor
    2026-06-22T16:07:28.1033333+00:00

    Hello Eduardo,

    Thank you for posting question on Microsoft Windows Forum!

    Based on the issue description as well as the provided error "Sandbox Host - Access Denied" on your backend server (PROD-BACK01) during organization creation which might indicate that the domain account running the Microsoft Dynamics 365 Sandbox Processing Service (MSCRMSandboxService) lacks a critical permission required to spin up the isolated worker processes (Microsoft.Crm.Sandbox.WorkerProcess.exe).

    When running under least privilege, the Sandbox Processing Service account must be able to monitor system counters, or the host process will fail to initialize. The suggestion is on PROD-BACK01, open Local Users and Groups (lusrmgr.msc). Try to add the Sandbox Service domain account to the local Performance Log Users group.

    Another point worth mentioning here is that during the organization creation wizard, the Sandbox service is called upon to validate and provision isolated components. To do this, it needs specific CRM-defined directory permissions. Making sure that your Sandbox Service account is an explicit member of the following Active Directory groups created during your initial CRM deployment PrivUserGroup (The service must operate within this privileged CRM context) and SQLAccessGroup (Required to touch the configuration and the newly staging organization databases).

    Also, try to verify that the domain account has not been blocked by a restrictive Group Policy (GPO) on the backend server. You can open the Local Security Policy (secpol.msc) on PROD-BACK01 and navigate to Local Policies > User Rights Assignment. Ensure the account has Log on as a service (SeServiceLogonRight) and ensure it is not listed under Deny log on locally or Deny log on as a service.

    If you are using Kerberos, the Sandbox account may also need the correct SPN.

    You can consult the following article for more information regarding your concerns.

    Hope the above information is helpful! If it is. Free feel to hit "Accepted" for benefitting others in community having the same issue too.

    Was this answer helpful?


Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.