Re-adding Unity to an Active Directory account

3dperrier · ‎12-19-2007

When we remove Unity from a user account and then want to add Unity back to that user account again, the AD account is not available to be imported into Unity. We tried the RemoveSubscriberProperties (BunnyKiller app) and it did remove the Unity properties from the account. Then the user was available to be imported into Unity, however when we import the user the import fails with the error "An unrecognized error 0x80070005 has occurred E_ACCESSDENIED". We have tried it while signed on as the Unity install account and the Unity admin account. Anyone run into this before? These accounts were migrated from another Unity in the past using GSM, and we are running Unity 5.0(1). Thanx folks.

lindborg · ‎12-19-2007

Right off hand it sounds like a permissions issue - the account you are logged in as at the time you do the import doesn't come into play - the account associated with the Unity services are used when creating/importing users from AD. The directory facing account might not have rights to update some property on the AD account for objects in that container (i.e. permissions inheritence issue perhaps?). Kind of hard to speculate with this amount of info, but access denied means what it says - AD is denying access to something here.

jeroenhermans · ‎12-30-2007

Hi,

We are receiving the exact same error message when trying to import a user into unity.

We're running unity 5.0.1 and exchange 2007.

Did you manage to resolve the issue?

Thanks,

Jeroen

3dperrier · ‎01-04-2008

You're right, it is a permissions thing. I tested it out by putting Unity's Directory Services account into Domain Admins, and the problem went away, so looks like there are missing permissions.

However, I ran the latest perms wizard 2.2.0.36 on this Unity 5.0(1) box, and the only problems it found was the Deleted Objects OU: "Deleted Objects rights: nlrha.ab.ca/Deleted Objects; List contents() Right: ACCESS DENIED because there is no exact Allow ACE". It looks like there is no "deleted objects" OU so I suppose this error is expected. Otherwise all other permissions showed as succeeded.

I wonder if permissions wizard is missing some required permissions, and I may have to grant domain admins to the Unity Directory Services account permanently.

Ginger Dillon · ‎01-04-2008

Hi -

Another thing to mention here is inheritance. Make sure inheritance is checked on the userid's account Security tab - Advanced. If this box is not checked, attempting to import the user will get the access denied error because the Unity directory service account cannot update the ciscoecsbu* schema attributes. Hope this helps.

Ginger

ccamphuysen · ‎04-18-2008

Thanks for the last comment! I was having the same issue but successfully added other subscribers to Unity that were in the same OU. I had my exchange team check the inheritance box on the user's account and was then able to add this particular subscriber.

Cody

jgentsch · ‎10-20-2008

I am having the same issue. Unity 5, Exchange 2007. Had a user added, user was deleted from Unity but AD account remained. Tried to re-add user but the user doesn't show up to import. I tried to use Global Subscriber Manager and ADSIEdit to remove the Unity properties from the user to no avail. I have reran permissions wizard and everything passes. Thoughts?