Microsoft KB Archive/823142

= &quot;You Do Not Have Sufficient Permissions in the Domain&quot; Error Message Occurs and Exchange Server 2003 Setup Does Not Respond =

PSS ID Number: 823142

Article Last Modified on 8/22/2003

-

The information in this article applies to:


 * Microsoft Exchange Server 2003 Enterprise Edition
 * Microsoft Exchange Server 2003 Standard Edition

-



SYMPTOMS
When you run the Exchange Server 2003 Setup program, you may receive the following error message:

The component &quot;Microsoft Exchange Messaging and Collaboration Services&quot; cannot be assigned the action &quot;Install&quot; because: -You do not have sufficient permissions in the Domain. The Domain administrator must re-run setup /domainprep or you must create a recipient update service for this domain to update the permissions.

If you use the /domainprep switch to run Setup, and then run Setup again, you do not receive the error. However, when you next run Setup, Setup may stop responding and you may receive the same error message again.

When you examine the security settings for these groups in Active Directory Users and Computers, the Exchange Enterprise Server group does not have Full Control permissions over the Exchange Domain Servers group. When you manually grant Full Control permissions to the Exchange Enterprise Server group or to an account that has Full Exchange Administrator rights on the Exchange Domain Servers group, it resolves the behavior temporarily, but the permissions are removed later.



CAUSE
This issue may occur when the Exchange Domain Servers group is also a member of a Builtin Administrators group.



RESOLUTION
To resolve this behavior, remove the Exchange Domain Servers group from the Builtin Administrators group, and then run Setup again by using the /domainprep switch.



MORE INFORMATION
The AdminSDHolder object controls the security settings on the Builtin Administrators, the Schema Administrators, the Enterprise Administrators, and the Domain Administrators groups.

Note You can see the AdminSDHolder object in the System container in Active Directory Users and Computers. You have to configure Active Directory Users and Computers to display Advanced Features for the System container to be visible. To turn on Advanced Features in Active Directory Users and Computers, click Advanced Features on the View menu.

The access control list (ACL) on the AdminSDHolder object functions as a template for the ACLs that are on members of the various administrative groups in the domain. This is to prevent the ACLs for administrative accounts from being changed, either manually or by moving the accounts to another container.

Every hour, the Microsoft Windows 2000 domain controller that has the primary domain controller (PDC) emulator operations master role verifies the ACL on members of these administrative groups and compares the ACL to the ACL that is on the AdminSDHolder object. If the ACL that is on the AdminSDHolder object is different, the ACL that is on the members of the administrative group is reset to match the ACL that is on the AdminSDHolder object.

Throughout the domain preparation operation (DomainPrep), the Exchange Enterprise Servers group is granted Full Control permissions to the Exchange Enterprise Servers and to the Exchange Domain Servers groups. These permissions are required for Setup to complete. Because the Exchange Enterprise Servers groups are not granted Full Control permissions to the AdminSDHolder object, if the Exchange Domain Servers group is added to the Builtin Administrators group, the permissions that are granted through the domain preparation operation are removed later.

If you view the Exchange Server Setup Progress Log (located on the root of the boot partition, for example, C:\), you can see the following text: [03:24:35]    Prerequisites for Microsoft Exchange Instant Messaging Service failed: The component &quot;Microsoft Exchange Messaging and Collaboration Services&quot; cannot be assigned the action &quot;Install&quot; because: - You do not have sufficient permissions in the Domain. The Domain administrator must re-run setup /domainprep or you must create a recipient update service for this domain to update the permissions. - The installation directory &quot;H:\Program Files\Exchsrvr\MDBDATA&quot; must not contain any files

[03:24:35] The component &quot;Microsoft Exchange Messaging and Collaboration Services&quot; cannot be assigned the action &quot;Install&quot; because: - You do not have sufficient permissions in the Domain. The Domain administrator must re-run setup /domainprep or you must create a recipient update service for this domain to update the permissions. - The installation directory &quot;H:\Program Files\Exchsrvr\MDBDATA&quot; must not contain any files

[03:28:05] CComBOIFacesFactory::QueryInterface (K:\admin\src\udog\BO\bofactory.cxx:52) Error code 0X80004002 (16386): No interface. For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

232199 Description and Update of the Active Directory AdminSDHolder Object

318180 AdminSDHolder Thread Affects Transitive Members of Distribution Groups

Additional query words: xadm

Keywords: kbprb KB823142

Technology: kbExchangeSearch kbExchangeServ2003Ent kbExchangeServ2003Search kbExchangeServ2003St

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.