CRM 2011 – License Error – the selected user has not been assigned a security role

I did something very stupid yesterday but luckily I knew what the problem was almost as soon as I had done it.


I was looking to add a user to an organisation so I could login to CRM as a different user with a different security to see what they can do.

I added the user and then before I could add a security role, I couldn’t login and it was complaining I didn’t have the correct security role.  hmmm what had happened had someone remove my user (they could do because there were 3 system admins if there was only one and my user was that user then it can’t be removed).

Next I noticed the person next to me couldn’t login and in fact no one could login.

CRM was completely knocked out again, the 3rd time this week on 3 different CRM 2011 installations, although this time this was completely my fault.

I had added this user to my the DEV CRM organisation which is held on a different server.

I logged onto the problem CRM 2011 server and looked in the event log, there were errors about tracing and .NET 4 errors.

I then looked at the user in the CRM app pools, it was the user I had tried to add to CRM.  This was also the user who was running the CRM services.

Oh damn I just added the CRM service account as a user in CRM 2011.

for those of you who do not know (or haven’t installed CRM 2011) never add the CRM service account to an organisation it will break everything.  The CRM Service account CANNOT exist in a CRM organisation, this is one of those important bold messages in the CRM installation instructions, oops.

you also might see this message

ecLib::RetrievePrivilegeForUser failed – no roles are assigned to user. Returned hr = -2147209463, User: [userid]

Microsoft have a KB article for people who do this

The system crashes when you add an account that is running the CRMAppPool as a Microsoft Dynamics CRM user

They explain the cause

By default, when a CRM user is created in Microsoft Dynamics CRM, the user has no security roles. Because the CRM service account is mapped with the newly created user, the CRM service account cannot operate anything. Therefore, the system crashes.

This behavior is by design. Making the account that is running the CRMAppPool into a Microsoft Dynamics CRM user is not supported.


The resolution isn’t that helpful

Keep the CRM service account as a dedicated service account.


What I would have really liked to do was to remove the service account user from the CRM organisation but I couldn’t login to do this, I couldn’t figure out what use it was looking at the tables in the SQL database and this wouldn’t be supported so this wasn’t an option.

So I had to add a new user in the active directory (you can use another user already setup), I copied the previous user.  I then when to ADD/REMOVE programs and clicked on CRM 2011 and chose Repair.

I then put in the new user into the service account choices in the repair.  I had to add the user to the performance counter, you can read how to do that here .

Once the CRM 2011 repair had gone through CRM 2011 was back up and working.  Running the repair is easier than changing all the places where the CRM service account is used and it might also change some other settings in the SQL database and possible active directory groups.

I’m not entirely sure why adding the service account to CRM 2011 causes this error but I think it’s basically to do with privileges, when you add a user they start off with no user role, this might mean it can’t read certain tables which the service account needs to do to work properly.

Luckily I managed to fix CRM 2011 pretty quickly before anyone started to complain but one of the reason was because I did it at 5.15 so most people were off home but I did have to stay an extra 30 minutes after work to fix it.

9 thoughts on “CRM 2011 – License Error – the selected user has not been assigned a security role

  1. Ault February 3, 2012 / 1:56 pm

    It’s a relief to note that I am not alone in dropping very basic clangers.

    And extra points for documenting it. Sometimes the most elementary mistakes are the hardest to trace because A) you’re looking for something more complex, and B) no one has bothered to document the error message/process.


  2. Adam Vero February 7, 2012 / 10:33 pm

    All users must be in a Business Unit (BU). All BUs have a default Team and all users are in the default Team for their BU.
    Give the default Team a security role, (even an empty one might work, but unlikely), or a bare minimum “baseline” role that you want to apply to all users regardless of job function (giving read access to the most common core records let’s say, and include things like metadata).
    Now although the user has no role of their own, they get the implicit rights of the Team, so they should be able to at least log on. You will still have major problems if you do what you did, but it may be easier to still get access to the system and reverse the mistake without total lockout.


  3. Hosk February 7, 2012 / 10:40 pm

    You can’t login with the user because CRM does not work for any users at that point. I think it’s because suddenly you have added SQL table rights to a user who needs read access to lots of tables to run the async processes (although that is just me guessing).

    The easiest quickest way to solve the problem is add another service account.

    An even quicker way to solve the problem is not to be an idiot and add the service account to CRM.

    its quite funny that Microsoft have to make a KB article about it really.


  4. Adam Vero February 8, 2012 / 12:07 am

    The reason CRM does not work for any user at that point is because you added the service account but it has no rights, it seems.
    If you can add it and give it rights at the same time (in the way I suggest), then things might not break so badly you *might* at least be able to log on with a normal system admin account and remove the user again.

    As you say, “don’t go there” is the best advice.


  5. Milind October 4, 2012 / 6:10 pm

    Thank for posting this,
    I have added new user as admin of the CRM server, then used this user to runn CRMApp Pool and CRM Deployment Pool. and restarted. It allowed you to start the application. Login to CRM, go to user setting and modify user and replace domain user with other user and that’s its your service user is out of the CRM…..Then changed the setting back to run by CMR service with old user.


  6. Sukaseh Md Sidek Mediu March 27, 2014 / 6:05 am

    does any cd needed for this action?
    “when to ADD/REMOVE programs and clicked on CRM 2011 and chose Repair”


    • Hosk March 27, 2014 / 7:00 am

      You need to point it to the CRM 2011 server exe. If you can’t find it then download it again


    • Hosk March 27, 2014 / 7:02 am

      You need to point it to the crm 2011 exe you used to install CRM. Download it again if you can’t find it


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s