Upgrade your Internet Experience

Article ID: 924255 - Last Review: October 25, 2007 - Revision: 1.3

How to troubleshoot access denied in a split permission model or minimum permissions model

View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

When the administrative snap-in that you are using reports an "Access denied" error code, customers frequently wonder what attributes they do not have permission to. This happens most frequently for user accounts that were delegated and have a limited set of permissions to change an OU or a domain but the delegated user is not a member of "Account Operators" or "Domain Admins."

The "Access Denied" error code 0x80007005 is actually a win32 interpretation of the LDAP error code. To determine the LDAP error code and the attribute for which you do not have access to, you can follow the steps that are mentioned in the Resolution section.

RESOLUTION

To resolve this issue, enable auditing for Failure on the object that you are trying to change. Then, you try to make the change to this object. You can also look for Event 566 about the object in the Security log on the DC, this should tell you the exact permissions that you are lacking.
After you configure an audit policy setting, you can configure auditing for specific objects, such as users, computers, organizational units, or groups, by specifying both the kinds of access and the users whose access that you want to audit.

To configure auditing for specific Active Directory objects:
  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. Make sure that Advanced Features is selected on the View menu by making sure that the command has a check mark next to it.
  3. Right-click the Active Directory object that you want to audit, and then click Properties.
  4. Click the Security tab, and then click Advanced.
  5. Click the Auditing tab, and then click Add.
  6. Complete one of the following:
    • Type the name of the user or the name of the group whose access that you want to audit in the Enter the object name to select box, and then click OK.
    • In the list of names, double-click either the user or the group whose access that you want to audit.
  7. Click to select either the Successful check box or the Failed check box for the actions that you want to audit, and then click OK.
  8. Click OK, and then click OK.
APPLIES TO
  • Microsoft Exchange Server 2003 Enterprise Edition
  • Microsoft Exchange Server 2003 Standard Edition
Back to the top
Keywords: 
kbprb kbtshoot KB924255
 

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations

 

Related Support Centers