Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. Exchange Server delegated setup fails when the setup account is a member of Domain Admins

Exchange Server delegated setup fails when the setup account is a member of Domain Admins

View products that this article applies to.

Symptoms

When the account that's used to install Microsoft Exchange Server is a member of a security group that has write access to Active Directory Domain Services (AD DS), delegated setup fails. Specifically, the Exchange setup prerequisite check fails on the GlobalServersinstall rule. Additionally, the Exchange setup log contains the following entry:
 
Failed [Rule: GlobalServerInstall] [Message: You must be a member of the 'Organization Management' role group or a member of the 'Enterprise Admins' group to continue.]

↑ Back to the top

Cause

When you use delegated setup, the account that's used to install Exchange Server should be a member of only the Delegated Setup universal security group. If the installation account is a member of Domain Admins or of another group that grants write permissions to AD DS, the prerequisite checks fail.

↑ Back to the top

Resolution

To resolve this issue, install the latest cumulative update for Exchange Server.

After the update is installed, if you are a member of the Delegated Setup role group and also a member of a security group that has write access to AD DS such as Domain Admins, you can be added to the Server Management role group to allow that account to install or upgrade Exchange Server.

See the Server Management role group for more information.

↑ Back to the top

Workaround

To work around this issue, add the account that's used for the Exchange Server installation process to the Delegated Setup group. To do this, run the following PowerShell command:
Add-RoleGroupMember "Delegated Setup" -Member "User One"
Use Active Directory Users and Computers to remove the account from all groups except the Delegated Setup universal security group.

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. 

↑ Back to the top

More Information

The account must also be added to the local member server's local Administrators group. This grants the setup account permission to log on locally to the member server.

↑ Back to the top

Keywords: kb, kbfix, kbqfe, kbexpertiseinter, kbsurveynew

↑ Back to the top

Article Info
Article ID : 2961741
Revision : 5
Created on : 8/13/2020
Published on : 8/13/2020
Exists online : False
Views : 279