"You do not have sufficient permissions in the Domain" error message occurs and Exchange Setup does not respond (319966)



The information in this article applies to:

  • Microsoft Exchange Server 2003 Enterprise Edition
  • Microsoft Exchange Server 2003 Standard Edition
  • Microsoft Exchange 2000 Server

This article was previously published under Q319966
This article is a consolidation of the following previously available articles: 823142 and 319966

SYMPTOMS

When you run the Exchange 2000 Server Setup program or the Exchange Server 2003 Setup program, you may receive the following error message:
The component "Microsoft Exchange Messaging and Collaboration Services" cannot be assigned the action "Install" because: -You do not have sufficient permissions in the Domain. The Domain administrator must re-run setup /domainprep or you must create a recipient update service for this domain to update the permissions.
If you use the /domainprep switch to run Setup and then run Exchange Setup again, you do not receive the error. However, the next time that you run Exchange Setup, Setup may stop responding, and you may receive the same error message again.

When you examine the security settings for these groups in the Active Directory Users and Computers management console, the Exchange Enterprise Servers security group does not have Full Control permissions over the Exchange Domain Servers group. Manually granting the Exchange Enterprise Server or an account with Full Exchange Administrator rights full control on the Exchange Domain Servers group resolves the behavior temporarily, but the permissions later disappear.

CAUSE

This behavior can occur because the Exchange Domain Servers group is also a member of any Builtin Administrators group.

RESOLUTION

To resolve this behavior, remove the Exchange Domain Servers group from any Builtin Administrators groups, and then rerun Exchange Setup by using the /domainprep switch.

MORE INFORMATION

The AdminSDHolder object controls the security settings on the Builtin Administrators, Schema Administrators, Enterprise Administrators, and Domain Administrators groups.

Note You can see the AdminSDHolder object in the System container in the Active Directory Users and Computers snap-in. You have to configure the Active Directory Users and Computers snap-in to display Advanced Features for the System container to be visible. To turn on Advanced Features, in the Active Directory Users and Computers snap-in, click Advanced Features on the View menu.

The access control list (ACL) on the AdminSDHolder object functions as a template for the ACLs that are on members of the various administrative groups in the domain. This is to prevent the ACLs for administrative accounts from being changed, either manually or by moving the accounts to another container.

Every hour, the Microsoft Windows domain controller that has the primary domain controller (PDC) emulator operations master role verifies the ACLs on members of these administrative groups and compares them to the ACL on the AdminSDHolder object. If the ACL that is on the AdminSDHolder object is different, the ACLs on the members of the administrative group are reset to match the ACL on the AdminSDHolder object.

During the domain preparation operation (DomainPrep), the Exchange Enterprise Servers group is granted Full Control permissions to the Exchange Enterprise Servers and Exchange Domain Servers groups. These permissions are required for Exchange Setup to finish. Because the Exchange Enterprise Servers group is not granted Full Control permisions to the AdminSDHolder object, if the Exchange Domain Servers group is added to the Builtin Administrators group, the permissions granted through the domain preparation operation are later removed.

If you view the Exchange Server Setup Progress Log (located on the root of the boot partition, for example, C:\Exchange Server Setup Progress.log), you can see the following text:

[03:24:35]     Prerequisites for Microsoft Exchange Instant Messaging Service failed: The component "Microsoft Exchange Messaging and Collaboration Services" cannot be assigned the action "Install" because:
 - You do not have sufficient permissions in the Domain. The Domain administrator must re-run setup /domainprep or you must create a recipient update service for this domain to update the permissions.
 - The installation directory "H:\Program Files\Exchsrvr\MDBDATA" must not contain any files

[03:24:35] The component "Microsoft Exchange Messaging and Collaboration Services" cannot be assigned the action "Install" because:
 - You do not have sufficient permissions in the Domain. The Domain administrator must re-run setup /domainprep or you must create a recipient update service for this domain to update the permissions.
 - The installation directory "H:\Program Files\Exchsrvr\MDBDATA" must not contain any files

[03:28:05]  CComBOIFacesFactory::QueryInterface (K:\admin\src\udog\BO\bofactory.cxx:52)
           Error code 0X80004002 (16386): No interface.
				
For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

232199 Description and update of the Active Directory AdminSDHolder object

318180 AdminSDHolder thread affects transitive members of distribution groups


Modification Type:MinorLast Reviewed:4/25/2005
Keywords:kberrmsg kbpending kbprb KB319966