How to troubleshoot access denied in a split permission model or minimum permissions model (924255)



The information in this article applies to:

  • Microsoft Exchange Server 2003 Enterprise Edition
  • Microsoft Exchange Server 2003 Standard Edition

Source: Microsoft Support

RAPID PUBLISHING

RAPID PUBLISHING ARTICLES PROVIDE INFORMATION IN RESPONSE TO EMERGING OR UNIQUE TOPICS, AND MAY BE UPDATED AS NEW INFORMATION BECOMES AVAILABLE.

SYMPTOMS

When the administrative snap-in that you are using reports an "Access denied" error code, customers often wonder what attributes they do not have permission to. This happens most often for user accounts that have been delegated and have a limited set of permissions to modify an OU or a domain, yet the delegated user is not a member of "Account Operators" or "Domain Admins".

The administrative snap-ins "Exchange System Manager" and "Active Directory Users and Computers" access Active Directory, and thus the "Access Denied" error code 0x80007005 is actually win32 interpretation of the LDAP error code. To determine the LDAP error code, as well as the attribute for which you do not have access to, follow the steps below:

RESOLUTION

Enable auditing for Failure on the object for we are trying to modify. Then try to make the change to this object. Look in the security log on the DC. Look for event 566 regaurding this Object this should tell us the exact permissions we are lacking.

http://support.microsoft.com/?id=814595

Configure Auditing for Specific Active Directory Objects

After you configure an audit policy setting, you can configure auditing for specific objects, such as users, computers, organizational units, or groups, by specifying both the types of access and the users whose access that you want to audit.

To configure auditing for specific Active Directory objects:
  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. Make sure that Advanced Features is selected on the View menu by making sure that the command has a check mark next to it.
  3. Right-click the Active Directory object that you want to audit, and then click Properties.
  4. Click the Security tab, and then click Advanced.
  5. Click the Auditing tab, and then click Add.
  6. Complete one of the following:
    • Type the name of either the user or the group whose access you want to audit in the Enter the object name to select box, and then click OK.
    • In the list of names, double-click either the user or the group whose access you want to audit.
  7. Click to select either the Successful check box or the Failed check box for the actions that you want to audit, and then click OK.
  8. Click OK, and then click OK.

DISCLAIMER

MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS MAKE NO REPRESENTATIONS ABOUT THE SUITABILITY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE FOR ANY PURPOSE. THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE COULD INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN. MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S) AND/OR THE PROGRAM(S) DESCRIBED HEREIN AT ANY TIME.

For more information on the terms of use, click on the link below:
http://support.microsoft.com/tou/

Modification Type:MinorLast Reviewed:10/6/2006
Keywords:kbprb kbtshoot kbrapidpub KB924255 kbAudITPRO