Microsoft KB Archive/938627

= When you try to install Microsoft System Center Operations Manager 2007 Reporting, the installation is unsuccessful =

Article ID: 938627

Article Last Modified on 10/31/2007

-

APPLIES TO


 * Microsoft System Center Operations Manager 2007

-



SYMPTOMS
When you try to install the Microsoft System Center Operations Manager 2007 Reporting feature, the installation is unsuccessful. When this problem occurs, the Operations Manager event log may contain the following error message:

Date: date

Source: OpsMgr SDK Service

Time: time

Category: None

Type: Error

Event ID: 26319

User: N/A

Computer:

Description: An exception was thrown while processing GetUserRolesForOperationAndUser for session id uuid:UUID. Exception Message: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) Full Exception: System.UnauthorizedAccessException: Access is denied. (Exception fro HRESULT: 0x80070005 (E_ACCESSDENIED))

Exception Message: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) Full Exception: System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) at Microsoft.Interop.Security.AzRoles.IAzApplication2.InitializeClientContextFr omStringSid(String SidString, Int32 lOptions, Object varReserved) at Microsoft.EnterpriseManagement.Mom.Sdk.Authorization.AzManHelper.GetScopedRo leAssignmentsForUser(IList`1 roleNames, String userName) at Microsoft.EnterpriseManagement.Mom.Sdk.Authorization.AuthManager.GetUserRole sForOperationAndUser(Guid operationId, String userName) at Microsoft.EnterpriseManagement.Mom.ServiceDataLayer.SdkDataAccess.GetUserRol esForOperationAndUser(Guid operationId, String userName) at Microsoft.EnterpriseManagement.Mom.ServiceDataLayer.SdkDataAccessTieringWrap per.GetUserRolesForOperationAndUser(Guid operationId, String userName) at Microsoft.EnterpriseManagement.Mom.ServiceDataLayer.SdkDataAccessExceptionTr acingWrapper.GetUserRolesForOperationAndUser(Guid operationId, String userName)



CAUSE
This problem occurs when the SDK service account does not have read access to the tokenGroupsGlobalAndUniversal attribute. The SDK service's authorization manager requires this access to determine the security groups to which a user belongs.

This problem occurs if one of the following conditions is true:
 * You install the Operations Manager 2007 Reporting feature in a Window Server 2003 domain environment, and the Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems option is enabled.
 * You install the Operations Manager 2007 Reporting feature in a Windows 2000 domain environment, and the Permissions compatible only with Windows 2000 servers option is enabled.



RESOLUTION
To resolve this problem, add the SDK service account to the Windows Authorization Access group. To do this, follow these steps:
 * 1) Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
 * 2) In Active Directory Users and Computers, click Builtin, and then double-click Windows Authorization Access Group.
 * 3) Click the Members tab, and then add the SDK service account to the members list.



MORE INFORMATION
By default, if the Permissions compatible with pre-Windows 2000 servers option is enabled when the domain is created, every member of the domain is added to the Pre-Windows 2000 Compatible Access group. In this situation, the Pre-Windows 2000 Compatible Access group has read access to the tokenGroupsGlobalAndUniversal attribute. Therefore, no action is required unless the Pre-Windows 2000 Compatible Access group name is manually changed.

For more information about this problem, click the following article number to view the article in the Microsoft Knowledge Base:

331951 Some applications and APIs require access to authorization information on account objects

Keywords: kbtshoot kbexpertiseinter kbprb KB938627

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.