Being the primary techie goblin in our company it often is my job to set up new organisations for development or testing purposes so I thought it might be a neat thing to do this by powershell, which it really should be...
It would actually seem that Microsoft agrees with me since it exists a cmdlet in Microsoft.Crm.Powershell that's called New-Crm-Organization, which you can
read about
here.
The issue I was faced with is that it seems that the cmdlet in powershell is run by the service account of the deployment web service.
On the first server I tried this, which is a very test-no-production-server that account was Network Service, and the new org-cmdlet failed with a whole bunch of errors looking like this:
Error Items:
ActiveDirectoryRightsCheck raising error : The current user does not have required permissions (read/write) for the following Active Directory group: CN=ReportingGro
up {a189b908-ee74-4532-b70d-373aea8fb39f},OU=CRM2016DEV,OU=CRMS,DC=effa,DC=local
SysAdminCheck raising error : You do not have sufficient permission to perform this operation on the specified organization database
ExistingRSCheck raising error : Setup failed to validate specified Reporting Services Report Server http://crm2016dev/reportserver. Error: Error occurred while findi
ng an item on the report server.
System.Web.Services.Protocols.SoapException: The permissions granted to user 'NT AUTHORITY\NETWORK SERVICE' are insufficient for performing this operation. ---> Microsof
t.ReportingServices.Diagnostics.Utilities.AccessDeniedException: The permissions granted to user 'NT AUTHORITY\NETWORK SERVICE' are insufficient for performing this oper
ation.
This made me a bit sad since I wanted to use Powershell, the strange thing is that it works to create organisations with the deployment management tool, it didn't matter if I used the -Credential-flag either, it still used Network Service.
Oh well, I thought, maybe I'm having better luck on another server where I have an AD account set up as the deployment web service account, but I ran into the same issue there.
I've found sites on the web where they say that you can give the appopriate rights in the OU, which probably means that you need to give access to the reporting services too and so on and so on. I will be continuing to search for solutions of this issue since it would be oh so neat to handle this kind of operations with Powershell. If anyone has a good solution, give me a holler.