Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

PRB: Special Privilege Must Be Added After Delegate Wizard for Commerce Server Active Directory Container


View products that this article applies to.

This article was previously published under Q303373

↑ Back to the top


Symptoms

When an account that is only delegated specific permissions to the MSCS40_ROOT container is used to connect to the Active Directory, and you use BizDesk to create users or organizations, you may receive the following error message:
An error occurred while retrieving the security descriptor object. The directory service can perform the requested operation only on a leaf object.
0000208C: UpdErr:DSID-030A02AF, problem 6003 (CANT_ON_NON_LEAF), data 0

↑ Back to the top


Cause

The Microsoft Commerce Server Profile Service needs a user account and password for connecting to Active Directory.

This error occurs when SetGroupPermissions is running within Daroutines.asp. The Commerce Server provider uses IDirectorySearch to retrieve the security setting. IDirectorySearch returns an empty ntsecuritydescriptor if the user does not have rights to read the system access-control list (SACL). This causes a failure when you attempt to create an organization from BizDesk.

↑ Back to the top


Resolution

To retrieve the SACL, the user must have the "Manage auditing and security log" right assigned on the Group Policy object of the Domain Controllers organizational unit. To add this right, follow these steps:
  1. Open the Active Directory User and Computers snap-in.
  2. In the Domain Controllers folder, right-click the Domain Controllers organizational unit and click Properties.
  3. On the Group Policy tab, click Default Domain Controllers Policy and then click Edit. This opens the Group Policy object snap-in.
  4. In the Group Policy object snap-in, click Computer Configuration, click Windows Setting, click Security Setting, click Local Policies, and then click User Rights.
  5. Double-click Manage auditing and security log.
  6. Add the user account.
  7. Restart the Commerce Server computer.
NOTE: Users with the "Manage Auditing and Security Log" right can only change auditing on an object for which they have Read permissions. If a user does not have Read permissions on the object, nothing can be done in that user's security context. This right is only active when auditing is enabled on the domain.

↑ Back to the top


Status

This behavior is by design.

↑ Back to the top


More information

Steps to Reproduce Behavior

  1. In Active Directory, create a new user named supplier_admin.
  2. Unpackage the SupplierAD Solution Site. When you are asked for the Active Directory user, make sure that you use an account that is a member of the Domain Admins group or the containers in Active Directory will not be created correctly.
  3. After the site is unpackaged, open the Active Directory Users and Computers MMC snap-in and run the Delegated Admin Wizard on the container for the Supplier site (for example, OU=MSCS40_ROOT, OU=SupplierAD).
  4. Grant the user full control over the container by using the Custom option in the wizard.
  5. Start BizDesk and attempt to create a new organization. Note that initially the operation appears to succeed, but BizDesk then reports that the organization failed to be created.

↑ Back to the top


Keywords: KB303373, kbprb

↑ Back to the top

Article Info
Article ID : 303373
Revision : 4
Created on : 10/9/2003
Published on : 10/9/2003
Exists online : False
Views : 417