The directory object may have an unknown class or cannot be located (287691)

SYMPTOMS

You may observe the following symptoms:

When you attempt to create an object, you may receive either of the following messages:
- The object name of object already exists. Enter a unique directory name for this object.
- Windows cannot create the new user object because the pre-Windows 2000 logon name name of object is already in use. Select another name, and then try again.
Objects may be missing in Active Directory. When you search for an object in the user interface (either Exchange Service Manager [ESM] or Active Directory Users and Computers), you cannot find it. If you use the ADSI Edit utility, you can observe the object, but the object class is unknown, and you cannot make any modifications to it.

RESOLUTION

To resolve this behavior, use any of the following methods.

Method 1

Run the DSACLS tool that is located in the Windows 2000 Supports Tools CD-ROM: Click Run, and then type: dsacls "dn of object" (use quotes if there are any spaces in the distinguished name [DN]).

The DN of the object can be determined by using the LDP.exe utility.

Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

260745 Using the LDP utility to modify Active Directory object attributes

An example of a Store object with this problem (that can return a list of permissions on the object) is:

C:\>DSACLS "CN=BAD_Object,CN=First Storage Group,CN=InformationStore,CN=S8,CN=Servers,CN=EX-ORG-Name,CN=Administrative Groups,CN=Microsoft,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Microsoft,DC=com"

Method 2

Examine the Effective permissions on the object:

Locate any groups or users that have a Deny (group or user) full control permission (for example, the Everyone group). If the permission does not have "Inherited from parent" beside it, the permission is an explicit Deny permission and can override any inherited or explicit Allow permissions for that particular right.

You can remove the explicit Deny permission by using the graphical user interface (GUI). If the GUI does not enable you to remove this permission, use the DSACLS tool. Log on to the computer as a domain administrator or enterprise administrator because these groups typically have owner rights and cannot be completely locked out. Click Run, and then type: dsacls "dn of object" /Rgroup or username.

Refer to the preceding example in Method 1. If the previous DSACLS tool returned the following information:
Deny Everyone Full Control

Then, click Run, and type: c:\>dsacls "cn=bad_object,cn=first storage group,cn=informationstore,cn=s8,cn=servers,cn=ex-org-name,cn=administrative groups,cn=microsoft,cn=microsoft exchange,cn=services,cn=configuration,dc=microsoft,dc=com" /R everyone

The preceding command can remove all explicit permissions from the Everyone group on that object.

Method 3

Grant full control to a group or account on the object. Click Run, and then type: dsacls "dn of object" /G everyone:ga. This command can grant the Everyone group full control of the object. Then, immediately access the GUI and grant the permissions that are needed on the object.