Unity 405 to 421 cannot add users

Unanswered Question
Mar 9th, 2007

Done a Unity 405 UM to 421 - used to be able to add users aswell as import but now can only import. Adding a user fails, used dad tool to test dir service account to add a user that failed and propmted me to check the directoryaccessdiagnostic.log in temp directory but I couldn't find that anywhere on the box. Nothing in event viewer either. ran latest perm wiz but still cannot add users. Checked registry for key 'disablenew exchsub' that was set to 0(I think that's right - if it was 1 then that would imply that I wouldn't be able to add). Any advise appreciated..TIA Jeff

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
mchandak Fri, 03/09/2007 - 07:14

- Do you see the right DC/GC listed when using DCGC Reconnect Tool ??

- Check windows services and confirm all the AD services are starting using the Dir Srv Account

jeff.singh_2 Fri, 03/09/2007 - 07:38

Mahesh, thanks for the quick reply. The Unity services avdsad and avdsglobalcatalog are both started with the Dir service account.

the DCGC reconnect tool reports the correct information.


mchandak Fri, 03/09/2007 - 07:48

Can u try to add the user again and get the log file. The file should be located at c:\documents and settings\\Temp folder.

jeff.singh_2 Fri, 03/09/2007 - 08:16

Mahesh, still can't see the log file - even in the directory you state, searched the whole box!

this is the error we get on the screen if it helps.

Thanks again..Jeff

mchandak Fri, 03/09/2007 - 08:30

Looks like Permissions Issue to me. Couple of things that you need to check.

1. If you are trying to add the user from Unity, ensure that Dir Svc Account should have Exchange Admin rights on the server which Unity is Integrated to. Also, this user needs to be a part of the Local Administrators on Exchange and a member of Administrators group in AD Users and Computer.

2. For users you are not able to import, ensure that Inherit Permissions is selected for the user.

jeff.singh_2 Fri, 03/09/2007 - 09:20

Yes thanks I have checked it against the permissions doc and all seems ok. Permissions are being inherited, just strange that it worker before the upgrade and not now.

mchandak Fri, 03/09/2007 - 09:35

Can u enable avdsad traces, try to add user and attach it here.

Or open a TAC case

Ginger Dillon Mon, 03/12/2007 - 10:44

Hi - a few things I would check:

1. Check for inheritance on the specific user. Check the Security tab, Advanced tab for the user account and make sure the check box is checked. If this is unchecked, the unitydirsvc and unitymsgstoresvc accounts do not get permission. The typical error is what you are seeing when attempting to add a user in Unity SA. Check the effective permissions on the user's account to see if the user is a member of a group that gets explicitly denied.

2. When you ran the Unity permissions wizard for the 4.2 upgrade, there is a check box that specifies whether or not Unity will have permission to ADD subscribers or IMPORT subscribers. I would also rerun the permissions wizard and REPORT on the permissions to ensure all is OK here.

Plus the other post recommendations are excellent, avdsad trace would give you more detail on the specific error.

Regards, Ginger

jeff.singh_2 Mon, 03/12/2007 - 15:04

thanks for your replies guys. The OU where I'm trying to create new users in the directory account has inherited create rights for users.I ran latest perm wiz and selected to add subscribers. adsad tool does not allow me to create users and the attached trace shows I do not have rights. No gpo's blocking inheritance here and theres only one gc/dc that unity is using. I know its an inheritance issue but can't see the problem to fix...thanks,Jeff

jeff.singh_2 Mon, 03/12/2007 - 16:08

I ran the report of privileges from perm wizard for dir account. It gave the following error:

ACCESS DENIED because there is no Allow ACE.

How can I fix that?..cheers jeff


This Discussion