Exchange Server 2003 Setup Is Unsuccessful and "Access Denied" Errors Are Logged (818468)


The information in this article applies to:

  • Microsoft Exchange Server 2003 Enterprise Edition
  • Microsoft Exchange Server 2003 Standard Edition

SYMPTOMS

When you try to install Exchange Server 2003, the Setup program starts to install Exchange Server 2003, but Setup is unsuccessful. "Access denied" errors are logged when it tries to create First Administrative Group. This problem occurs after you delegate permissions to install Exchange Server 2003 to a user or to a security group.

When you view the Setup.log file, the following information may be logged:
[11:17:57]  ScCreateOrgLevelAdminGroupObject (f:\df6851\admin\src\udog\exsetdata\components\sharedatoms\a_ag.cxx:542)
           Error code 0X80070005 (5): Access denied.
[11:17:57] Leaving ScCreateOrgLevelAdminGroupObject
[11:17:57]  CAtomAdminGroup::ScAddDSObjects (f:\df6851\admin\src\udog\exsetdata\components\sharedatoms\a_ag.cxx:302)
           Error code 0X80070005 (5): Access denied.
[11:17:57] Leaving CAtomAdminGroup::ScAddDSObjects
[11:17:57] mode = 'Install' (61953) CBaseAtom::ScSetup (f:\df6851\admin\src\udog\setupbase\basecomp\baseatom.cxx:842)
           Error code 0X80070005 (5): Access denied.

CAUSE

This problem may occur if the permissions that you delegated to the user or to the group have not replicated throughout the domain.

WORKAROUND

To work around this problem, allow sufficient time for the permissions to replicate throughout the whole domain, and then run the Setup program again.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

MORE INFORMATION

When you run Setup, it verifies permissions on the existing administrative groups. Setup expects the permissions to occur in the following ascending order:
  1. Read
  2. Read and Write
  3. Read, Write, and SetPerms
If the security permissions have not replicated throughout the whole domain, the permissions may not be present in the ascending order that Setup expects. For example, if you view the Exchange Server Setup Progress.log file, the following information may be logged: 
[10:50:43] Checking permissions on the admin group: /dc=com/dc=example/cn=Configuration/cn=Services/cn=Microsoft Exchange/cn=OrganizationName/cn=Administrative Groups/cn=Group-1
[10:50:43] We have permission ExchAG_Read
[10:50:43] We have permission ExchAG_Write
[10:50:43] Checking permissions on the admin group: /dc=com/dc=example/cn=Configuration/cn=Services/cn=Microsoft Exchange/cn=OrganizationName/cn=Administrative Groups/cn=Group-2
[10:50:43] We have permission ExchAG_Read
[10:50:43] We have permission ExchAG_Write
[10:50:43] Checking permissions on the admin group: /dc=com/dc=example/cn=Configuration/cn=Services/cn=Microsoft Exchange/cn=OrganizationName/cn=Administrative Groups/cn=Group-3
[10:50:43] We have permission ExchAG_Read
[10:50:43] We have permission ExchAG_SetPerms
[10:50:43] Final set of permissions: 0X40C040E0
In this example, Setup locates three administrative groups and determines that sufficient permissions are present to start the Exchange Server 2003 installation. However, the permissions are not present in the ascending order that Setup expects (the third administrative group has Read and SetPerms permissions, but not Write permission). When Setup examines the list of administrative groups to determine the groups that you can install Exchange Server 2003 in, it determines that none of the groups qualify.

When no group qualifies, Setup tries to create an administrative group named First Administrative Group and tries to install Exchange Server 2003 in it. If you are not logged on as an organization-level administrator, Setup is unsuccessful when it tries to create the administrative group and "Access denied" errors are logged.
Modification Type:MinorLast Reviewed:11/7/2005
Keywords:kbnofix kbBug kbprb KB818468 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.