Microsoft KB Archive/287691

= The directory object may have an unknown class or cannot be located =

Article ID: 287691

Article Last Modified on 3/12/2007

-

APPLIES TO


 * Microsoft Exchange 2000 Server Standard Edition

-



This article was previously published under Q287691



SYMPTOMS
You may observe the following symptoms in Microsoft Exchange 2000 Server:  When you attempt to create an object, you may receive either of the following messages:

The object  already exists. Enter a unique directory name for this object.

Windows cannot create the new user object because the pre-Windows 2000 logon name  is already in use. Select another name, and then try again.

 Objects may be missing in the Active Directory directory service. When you search for an object in the user interface (either Exchange Service Manager or Active Directory Users and Computers), you cannot find it. If you use the ADSI Edit utility, you can observe the object, but the object class is unknown, and you cannot make any modifications to it.



CAUSE
This behavior can occur if you do not have sufficient permissions. For example, an administrator may impose a Deny all setting to the Everyone group for that particular object.



RESOLUTION
To resolve this behavior, use any of the following methods.

Method 1
Run the DSACLS tool that is located in the Windows 2000 Supports Tools CD-ROM: Click Run, and then type: dsacls &quot;dn of object&quot; (use quotes if there are any spaces in the distinguished name [DN]).

The DN of the object can be determined by using the LDP.exe utility.

Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

260745 Using the LDP utility to modify Active Directory object attributes

An example of a Store object with this problem (that can return a list of permissions on the object) is:

C:\>DSACLS &quot;CN=BAD_Object,CN=First Storage Group,CN=InformationStore,CN=S8,CN=Servers,CN=EX-ORG-Name,CN=Administrative Groups,CN=Microsoft,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Microsoft,DC=com&quot;

Method 2
Examine the Effective permissions on the object:

Locate any groups or users that have a Deny (group or user) full control permission (for example, the Everyone group). If the permission does not have &quot;Inherited from parent&quot; beside it, the permission is an explicit Deny permission and can override any inherited or explicit Allow permissions for that particular right.

You can remove the explicit Deny permission by using the graphical user interface (GUI). If the GUI does not enable you to remove this permission, use the DSACLS tool. Log on to the computer as a domain administrator or enterprise administrator because these groups typically have owner rights and cannot be completely locked out. Click Run, and then type: dsacls &quot;dn of object&quot; /R.

Refer to the preceding example in Method 1. If the previous DSACLS tool returned the following information:

Deny Everyone Full Control

Then, click Run, and type: c:\>dsacls &quot;cn=bad_object,cn=first storage group,cn=informationstore,cn=s8,cn=servers,cn=ex-org-name,cn=administrative groups,cn=microsoft,cn=microsoft exchange,cn=services,cn=configuration,dc=microsoft,dc=com&quot; /R everyone

The preceding command can remove all explicit permissions from the Everyone group on that object.

Method 3
Click Run, and then type the following command:

dsacls &quot;dn of object&quot; /G administrators:ga

This command grants the administrators group full control of the object.

Additional query words: ad

Keywords: kbprb KB287691

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.