Done a Unity 405 UM to 421 - used to be able to add users aswell as import but now can only import. Adding a user fails, used dad tool to test dir service account to add a user that failed and propmted me to check the directoryaccessdiagnostic.log in temp directory but I couldn't find that anywhere on the box. Nothing in event viewer either. ran latest perm wiz but still cannot add users. Checked registry for key 'disablenew exchsub' that was set to 0(I think that's right - if it was 1 then that would imply that I wouldn't be able to add). Any advise appreciated..TIA Jeff
- Do you see the right DC/GC listed when using DCGC Reconnect Tool ??
- Check windows services and confirm all the AD services are starting using the Dir Srv Account
Mahesh, thanks for the quick reply. The Unity services avdsad and avdsglobalcatalog are both started with the Dir service account.
the DCGC reconnect tool reports the correct information.
Looks like Permissions Issue to me. Couple of things that you need to check.
1. If you are trying to add the user from Unity, ensure that Dir Svc Account should have Exchange Admin rights on the server which Unity is Integrated to. Also, this user needs to be a part of the Local Administrators on Exchange and a member of Administrators group in AD Users and Computer.
2. For users you are not able to import, ensure that Inherit Permissions is selected for the user.
Yes thanks I have checked it against the permissions doc and all seems ok. Permissions are being inherited, just strange that it worker before the upgrade and not now.
Hi - a few things I would check:
1. Check for inheritance on the specific user. Check the Security tab, Advanced tab for the user account and make sure the check box is checked. If this is unchecked, the unitydirsvc and unitymsgstoresvc accounts do not get permission. The typical error is what you are seeing when attempting to add a user in Unity SA. Check the effective permissions on the user's account to see if the user is a member of a group that gets explicitly denied.
2. When you ran the Unity permissions wizard for the 4.2 upgrade, there is a check box that specifies whether or not Unity will have permission to ADD subscribers or IMPORT subscribers. I would also rerun the permissions wizard and REPORT on the permissions to ensure all is OK here.
Plus the other post recommendations are excellent, avdsad trace would give you more detail on the specific error.
thanks for your replies guys. The OU where I'm trying to create new users in the directory account has inherited create rights for users.I ran latest perm wiz and selected to add subscribers. adsad tool does not allow me to create users and the attached trace shows I do not have rights. No gpo's blocking inheritance here and theres only one gc/dc that unity is using. I know its an inheritance issue but can't see the problem to fix...thanks,Jeff
I ran the report of privileges from perm wizard for dir account. It gave the following error:
ACCESS DENIED because there is no Allow ACE.
How can I fix that?..cheers jeff