Microsoft KB Archive/934761

= Error message when some Microsoft Exchange Server attributes are accessed after you extend the Active Directory schema for Exchange Server 2007: &quot;Access denied&quot; =

Article ID: 934761

Article Last Modified on 10/31/2007

-

APPLIES TO


 * Microsoft Exchange Server 2007 Enterprise Edition
 * Microsoft Exchange Server 2007 Standard Edition

-





SYMPTOMS
Consider the following scenario:
 * You run Setup /PrepareSchema to extend the Active Directory directory service schema for Microsoft Exchange Server 2007.
 * You do this before you run setup.com /PrepareAD or before you finish installing Exchange 2007.

In this scenario, some programs may try to access extended attributes on User objects in Active Directory. When this occurs, the programs report the following error message:

Access Denied



CAUSE
Some Exchange Server attributes were available in the Public Information property set or in the Personal Information property set. This issue occurs because these attributes are moved to the new Exchange Information property set or to the new Exchange Personal Information property set. Because the Exchange 2007 installation is in an incomplete state, the new property set and the attributes that are associated with the new property set may be inaccessible.

The definition of the Exchange Information property set can be imported when you run setup.com /PrepareAD.



RESOLUTION
To resolve this issue, use one of the following methods:

Method 1: Import the Rights.ldf file
Import the Rights.ldf file so that the Exchange Information property set and the Exchange Personal Information property set can be resolved by existing programs. To do this, follow these steps:  Log on to the domain controller that is hosting the operations master roles (also known as flexible single master operations or FSMO) by using an account that has Enterprise Administrator permissions. Locate the Rights.ldf file in the Setup\Data folder on the Exchange 2007 source files. Click Start, click Run, type cmd in the Open box, and then click OK. At the command prompt, type the following command:

ldifde.exe –i –s  -f  \Setup\Data\rights.ldf

is the name of the domain controller that hosts the operations master roles. is the folder name or the share name that hosts the Exchange 2007 installation files.

Method 2: Complete the Exchange 2007 installation
To complete the Exchange 2007 installation, run setup.com /PrepareAD. When you do this, setup.com /PrepareAD loads the Rights.ldf file and allows for the Exchange Information property set and the Exchange Personal Information property set to be resolved by existing programs.



MORE INFORMATION
It is common practice to stage the deployment of Exchange 2007 by extending the schema before you install Exchange 2007. You can extend the schema before you install Exchange 2007. However, this may cause unexpected behavior in some programs that require access to the Exchange attributes in the original Public Information property set or the original Personal Information property set.

A property set is a logical grouping of Active Directory attributes. You can control access to this grouping of Active Directory attributes. To do this, set a single access control entry (ACE) instead of setting an ACE on each property. Property sets are usually used to delegate control of Active Directory. An attribute belongs to a property set if the attributeSecurityGUID property in the corresponding attributeSchema object contains the same GUID value as the rightsGuid property in the controlAccessRight object for the property set.

Exchange 2007 is the first product to implement these new property sets. The new property sets support the split administrative model that is used in Exchange 2007.

The following examples display one sample Exchange Schema Object for the Exchange Information property set and one sample Exchange Schema Object for the Exchange Personal Information property set.

In this example, the rightsGuid property of the Exchange Extended Rights object is the same GUID of the attributeSecurityGUID property. These values determine a specific schema object as part of a specific property set.

Note Changing property sets is not supported.

Sample Exchange Schema Object for the Exchange Information property set --- >> Dn: CN=ms-Exch-ADC-Global-Names,CN=Schema,CN=Configuration,DC=contoso,DC=com 2> objectClass: top; attributeSchema; 1> cn: ms-Exch-ADC-Global-Names; 1> distinguishedName: CN=ms-Exch-ADC-Global-Names,CN=Schema,CN=Configuration,DC=contoso,DC=com; 1> instanceType: 0x4 = ( IT_WRITE ); 1> whenCreated: 05/16/2006 14:46:56 Central Standard Time Central Daylight Time; 1> whenChanged: 07/17/2006 19:07:59 Central Standard Time Central Daylight Time; 1> uSNCreated: 13980; 1> attributeID: 1.2.840.113556.1.4.7000.102.63; 1> attributeSyntax: 2.5.5.12; 1> isSingleValued: FALSE; 1> uSNChanged: 45303; 1> showInAdvancedViewOnly: TRUE; 1> adminDisplayName: ms-Exch-ADC-Global-Names; 1> adminDescription: ms-Exch-ADC-Global-Names; 1> oMSyntax: 64; 1> searchFlags: 1; 1> lDAPDisplayName: msExchADCGlobalNames; 1> name: ms-Exch-ADC-Global-Names; 1> objectGUID: af6461ef-8806-460a-ad1e-aa441e4168ef; 1> schemaIDGUID: 9062f090-b093-11d2-aa06-00c04f8eedd8; 1> attributeSecurityGUID: 1f298a89-de98-47b8-b5cd-572ad53d267e; 1> isMemberOfPartialAttributeSet: TRUE; 1> objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=contoso,DC=com;

Sample Exchange Schema Object for the Exchange Personal Information property set --- >> Dn: CN=ms-exch-UM-Pin-Checksum,CN=Schema,CN=Configuration,DC=contoso,DC=com 2> objectClass: top; attributeSchema; 1> cn: ms-Exch-UM-Pin-Checksum; 1> distinguishedName: CN=ms-Exch-UM-Pin-Checksum,CN=Schema,CN=Configuration,DC=contoso,DC=com; 1> instanceType: 0x4 = ( IT_WRITE ); 1> whenCreated: 07/17/2006 19:07:40 Central Standard Time Central Daylight Time; 1> whenChanged: 07/17/2006 19:15:09 Central Standard Time Central Daylight Time; 1> uSNCreated: 45219; 1> attributeID: 1.2.840.113556.1.4.7000.102.50344; 1> attributeSyntax: 2.5.5.10; 1> isSingleValued: TRUE; 1> rangeLower: 160; 1> rangeUpper: 160; 1> uSNChanged: 46981; 1> showInAdvancedViewOnly: TRUE; 1> adminDisplayName: ms-Exch-UM-Pin-Checksum; 1> adminDescription: ms-Exch-UM-Pin-Checksum; 1> oMSyntax: 4; 1> searchFlags: 0; 1> lDAPDisplayName: msExchUMPinChecksum; 1> name: ms-Exch-UM-Pin-Checksum; 1> objectGUID: 11f86b10-0fe3-45b9-9e9c-5191299e76de; 1> schemaIDGUID: 3263e3b8-fd6b-4c60-87f2-34bdaa9d69eb; 1> attributeSecurityGUID: b1b3a417-ec55-4191-b327-b72e33e38af2; 1> isMemberOfPartialAttributeSet: TRUE; 1> objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=contoso,DC=com; ---

Exchange Information Extended Right Object >> Dn: CN=Exchange-Information,CN=Extended-Rights,CN=Configuration,DC=contoso,DC=com 2> objectClass: top; controlAccessRight; 1> cn: Exchange-Information; 1> distinguishedName: CN=Exchange-Information,CN=Extended-Rights,CN=Configuration,DC=contoso,DC=com; 1> instanceType: 0x4 = ( IT_WRITE ); 1> whenCreated: 07/17/2006 19:19:56 Central Standard Time Central Daylight Time; 1> whenChanged: 07/17/2006 19:19:57 Central Standard Time Central Daylight Time; 1> displayName: Exchange Information; 1> uSNCreated: 47304; 1> uSNChanged: 47311; 1> showInAdvancedViewOnly: TRUE; 1> name: Exchange-Information; 1> objectGUID: 67fba274-b3b0-4214-a5a1-fe05eba72b1f; 1> rightsGuid: 1F298A89-DE98-47b8-B5CD-572AD53D267E; 7> appliesTo: bf967aba-0de6-11d0-a285-00aa003049e2; 9CF1AA93-B31C-4725-9D50-AB7AB1D3CA1E; f0f8ffac-1191-11d0-a060-00aa006c33ed; 018849b0-a981-11d2-a9ff-00c04f8eedd8; 4828cc14-1437-45bc-9b07-ad6f015e5f28; bf967a9c-0de6-11d0-a285-00aa003049e2; 5cb41ed0-0e4c-11d0-a286-00aa003049e2; 1> objectCategory: CN=Control-Access-Right,CN=Schema,CN=Configuration,DC=contoso,DC=com; 1> validAccesses: 48;

Exchange Personal Information Extended Right Object >> Dn: CN=Exchange-Personal-Information,CN=Extended-Rights,CN=Configuration,DC=contoso,DC=com 2> objectClass: top; controlAccessRight; 1> cn: Exchange-Personal-Information; 1> distinguishedName: CN=Exchange-Personal-Information,CN=Extended-Rights,CN=Configuration,DC=contoso,DC=com; 1> instanceType: 0x4 = ( IT_WRITE ); 1> whenCreated: 07/17/2006 19:19:57 Central Standard Time Central Daylight Time; 1> whenChanged: 07/17/2006 19:19:57 Central Standard Time Central Daylight Time; 1> displayName: Exchange Personal Information; 1> uSNCreated: 47312; 1> uSNChanged: 47319; 1> showInAdvancedViewOnly: TRUE; 1> name: Exchange-Personal-Information; 1> objectGUID: 429f329b-7536-452a-84f0-8ed589bf441a; 1> rightsGuid: B1B3A417-EC55-4191-B327-B72E33E38AF2; 7> appliesTo: bf967aba-0de6-11d0-a285-00aa003049e2; 9CF1AA93-B31C-4725-9D50-AB7AB1D3CA1E; f0f8ffac-1191-11d0-a060-00aa006c33ed; 018849b0-a981-11d2-a9ff-00c04f8eedd8; 4828cc14-1437-45bc-9b07-ad6f015e5f28; bf967a9c-0de6-11d0-a285-00aa003049e2; 5cb41ed0-0e4c-11d0-a286-00aa003049e2; 1> objectCategory: CN=Control-Access-Right,CN=Schema,CN=Configuration,DC=contoso,DC=com; 1> validAccesses: 48;

