Dynamics CRM 2011 Recover Deleted Active Directory User Accounts
Some times user accounts in CRM get out-of-synch with Active Directory and this could be related with:
- AD account deleted and re-created
- AD restores
- Or anything else that would change the objectGUID in AD
The most common is deleted accounts in Active directory. E.g. people returning to the same company, which previously used CRM and the account has been disabled, AD admins deleted the account and now create a new account with the same details in AD; if we try to enable the user account in CRM, we will get an error because CRM can't find the same AD GUID:
External Error - No such Object on Server
If we haven't disabled the account, we don't have to follow the next instructions, simply change the username field to a random test account and save, and change it back again to the user account we want to configure and save, this will update the user GUID and the AD SID in CRM. However if we have disabled the account we need to do the following steps.
Building the LDAP Query
The process is simple and it involves finding out the new objectGUID and objectSID in AD with an LDAP query and update the CRM database manually.
We can use any LDAP tool, for simplicity I find LDP tool simple to use and also available with windows 2008 R2 servers.
Simply search for ldp on the windows search box, or type on the command prompt c:\ldp and press enter
With the tool open go to the menu Connection and select connect, type the LDAP/DC server
When connected, we need to bind the session to a user account, to perform the search under that user context. Go to the Menu Connection > Bind
I've used the currently logged on user, but we can specify any account we want.
When we bind the session to an account we should get a successful message like the below message:
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User='NULL'; Pwd=; domain = 'NULL'}
Authenticated as: 'DOMAIN\your_account'.
6. On the Search window, type the Base DN (Distinguish Name) which is the location of the account in AD, select the scope: Base, and the most important select the attributes we want to view, in this case we only need:
objectGUID
objectSID
Compare the results with CRM
Compare these values with the ones in the CRM database:
select DISTINCT sub.fullname, sub.ActiveDirectoryGuid, sua.AuthInfo, sua.UserId
from SystemUserbase sub
inner join MSCRM_CONFIG.dbo.SystemUserOrganizations suo ON
suo.CrmUserId = sub.SystemUserID
inner join MSCRM_CONFIG.dbo.SystemUserAuthentication sua ON
sua.UserId = suo.UserId
where sub.DomainName = 'domain\username'
[
Update CRM database
From the screenshots above, we can see the information match with what it's in CRM and in AD. if the AD object changes in AD e.g. account deleted and re-created; the GUID and SID would be different in the LDAP results; with the results provided from the LDAP query, update the CRM database manually:
update SystemUserBase
SET ActiveDirectoryGuid = 'EFAFC661-6F6B-42C4-A032-951CEBEAE174'
WHERE DomainName = 'domain\username'
update SystemUserAuthentication
SET AuthInfo = 'W:S-1-5-21-515967899-492894223-725345543-907270'
WHERE UserId = '0C8672F1-B9B1-E111-A5B9-78E7D1652028'
Conclusion
The above process applies to most scenarios when an account had the objectGUID and objectSID updated in AD and CRM becomes out-of-sync with AD, however if we didn't disable the account we are in a better position to simply change the domain username to a dummy account and revert it back, but when we disable accounts we can't enable it back again, we can then use the above process to recover the CRM accounts.