You should create an AD account called CRMAdmin.

This account needs to be in the Domain admin group during the install of CRM. Domain admin is required because of changes that will happen during installation of CRM to the registry, services that will be created, and AD Organizational Units that will be created.

After the install, this user CRMAdmin account can be removed from Domain Admin.

• The user is a local administrator on the Microsoft CRM server.
• The user has administrative credentials on the SQL Server.
• The user has a system administrator role assigned in Microsoft CRM.
• Validate that the CRMAdmin account is in the CRM PrivUser Group

I also suggest that if you need to run a service as a named AD user, which happens with the email router in some instances, create a CRMemail user for that service to use as there are passwords associated with the service, and you should change the CRMAdmin account password every once in a while.

The best practice is to use this account to manage all customizations, as opposed to promoting a user account to a CRM administrator. The reason is that a Customizer will not see the effect of security roles on customization efforts. I have often made this mistake and created an object or customizations that work just fine for me, but not for the users. Taking this direction will help assure that you don’t make unusable customizations, because you can use your own user account to test your changes.