Recently we had to perform a data migration from an On Premise to an Online environment for a client. We discovered that they had quite a lot of inactive users which still had data linked to them. When disabling a user, you normally transfer the records of that user to another user using the Reassign Records functionality… But quite often we encounter scenario’s where this has not happened.

This often leads to tricky situations, as it causes data inconsistency. After all we end up with a user that has no Security Roles assigned (a logical consequence of deactivating a user), but does own records like accounts, contacts, … So we’re looking for a solution to assign security roles to Disabled Users.

Why are records owned by Disabled Users a problem?

The problem with this occurs during data migration, as you can’t simply recreate these records and assign them to the disabled user. You also can’t assign Security Roles to the disabled user, as the button is missing:

The solution: Organization Settings

Luckily since version 9.1 (well, to be more specific) there is an Organization Setting which allows us to assign security roles to Disabled Users. The ‘AllowRoleAssignmentOnDisabledUsers’ setting allows us to assign Security Roles to disabled users. This, in turn, allows us to assign reords to these inactive users during creation.

There’s a couple of ways you can update this setting. Microsoft provides PowerShell commands, you can use the SDK for this, or my personal favorite is the OrgDbOrgSettings Managed Solution. Using the solution, update the setting as follows:

  1. Download and import the solution in the target CRM environment.
  2. Open the solution through the Advanced Setting in Dynamics 365 (don’t use
  3. Search for the setting AllowRoleAssignmentOnDisabledUsers and click the Add button.
    Allow Role Assignment on Disabled Users
  4. After clicking Add, click the Edit button.
  5. In the popup screen, change the value to true.
    Update OrgSettings - Assign Security Roles to Disabled Users

That’s it! You’ve now enabled the setting to assign security roles to System Users. Head back to your disabled user and you’ll see that you can now assign Security Roles to the user. You will now also be able to assign

More OrgDBOrg Settings

There are a lot of nifty features to be discoverd in the OrgDBOrgSettings. For a full overview of all OrgDBOrgSettings, refer to the Microsoft Support Docs.