XADM: Policytest Utility Returns 'Right NOT Found' Result

You may experience one or more of the following symptoms:

• You may receive the following results after you run the Policytest utility (Policytest.exe):

  ================================================
  Local domain is "<example>.com" (EXAMPLE)
  Account is "EXAMPLE\Exchange Enterprise Servers"
  ========================
    DC      = "<ComputerName>"
    In site = "<Default-First-Site-Name>"
    !!! Right NOT found !!!
  							

  You may have run Policytest.exe to determine if the "Manage auditing and security logs" permission for the Exchange Enterprise Servers group is missing on any or all of the domain controllers. Policytest.exe is located on the Exchange 2000 Server CD-ROM in the Support\Utils\I386 folder.
• After you run the setup /domainprep command from the Exchange 2000 Server CD-ROM or from a network installation point, the permissions may not persist. You may have run this command to add the Exchange Enterprise Servers group to the domain with default permissions.
• One or more Exchange 2000 Server-related services may not start.
• One or more of the following six events may be listed in the Event Viewer Application log:
  Event Type: Error
  Event Source: MSExchangeDSAccess
  Event Category: (3)
  Event ID: 2102
  Date: date
  Time: time
  User: N/A
  Computer: computer name
  Description:
  Process MAD.EXE (PID=1588). All Domain Controller Servers in use are not responding:
  DomainController1.domain.com
  DomainController2.domain.com
  
  For more information, click
  http://search.support.microsoft.com/search/?adv=1.
  Event Type: Error
  Event Source: MSExchangeDSAccess
  Event Category: (3)
  Event ID: 2103
  Date: date
  Time: time
  User: N/A
  Computer: computer name
  Description:
  Process MAD.EXE (PID=1588). All Global Catalog Servers in use are not responding:
  DomainController1.domain.com
  DomainController2.domain.com
  
  For more information, click
  http://search.support.microsoft.com/search/?adv=1.
  Event Type: Error
  Event Source: MSExchangeIS
  Event Category: (6)
  Event ID: 1121
  Date: date
  Time: time
  User: N/A
  Computer: computer name
  Description:
  Error 0x80004005 connecting to Microsoft Active Directory.
  For more information, click
  http://search.support.microsoft.com/search/?adv=1.
  Event Type: Error
  Event Source: MSExchangeIS
  Event Category: (6)
  Event ID: 5000
  Date: date
  Time: time
  User: N/A
  Computer: computer name
  Description:
  Unable to initialize Microsoft Exchange Information Store service. Error 0x80004005.
  For more information, click
  http://search.support.microsoft.com/search/?adv=1.
  Event Type: Error
  Event Source: MSExchangeSA
  Event Category: (2)
  Event ID: 9098
  Date: date
  Time: time
  User: N/A
  Computer: computer name
  Description:
  The MAD monitoring thread was unable to read its configuration from the DS, error '0x80041001'.
  For more information, click
  http://search.support.microsoft.com/search/?adv=1.
  Event Type: Error
  Event Source: MSExchangeSA
  Event Category: (12)
  Event ID: 9074
  Date: date
  Time: time
  User: N/A
  Computer: computer name
  Description:
  The Directory Service Referral interface failed to service a client request. RFRI is returning the error code:[0x3f0].
  For more information, click
  http://search.support.microsoft.com/search/?adv=1.

This issue may occur if the Exchange Enterprise Servers security group does not have Manage auditing and security logs permissions on the domain controller. The Exchange Enterprise Servers group must have Manage auditing and security logs permissions on all the domain controllers in the domain. This may be caused if any of the following conditions exist:

• The Default Domain Controllers policy does not list the "Manage auditing and security logs" permission for the Exchange Enterprise Servers group.
• The File Replication Service (FRS) does not successfully replicate an updated security policy to one or more domain controllers. This policy assigns "Manage auditing and security logs" permissions to the Exchange Enterprise Servers group.
• Additional domain controller policies are applied to a domain controller after the Default Domain Controllers policy. These policies do not give the Exchange Enterprise Servers group the "Manage auditing and security logs" permissions.
• All domain controller server objects have been moved from the Active Directory Domain Controllers container.

To resolve this issue:

1. Use the Policytest tool (Policytest.exe) to troubleshoot permissions. Policytest.exe is located on the Exchange 2000 Server CD-ROM in the Support\Utils\I386 folder. Use Policytest to determine if the "Manage auditing and security logs" permission for the Exchange Enterprise Servers group is missing on any or all of the domain controllers. A successful result returns information that is similar to the following:

   ================================================
   Local domain is "<example.com>" (EXAMPLE)
   Account is "EXAMPLE\Exchange Enterprise Servers"
   ========================
     DC      = "<ComputerName>"
     In site = "<Default-First-Site-Name>"
     Right found:  "SeSecurityPrivilege"
   							

   NOTE: A successful result shows that the "Manage auditing and security logs" permissions exist. You must have domain administrator rights to run Policytest successfully.For additional information about the Policytest utility, click the article number below to view the article in the Microsoft Knowledge Base:
   281537� XADM: Description of the Policytest.exe Utility
2. Manually add the SeSecurityPrivilege right to all domain controller Group Policy Objects. The setup.exe /domainprep command only updates the Default Domain Controllers policy. This command does not update additional domain controller policies that may be applied after the Default Domain Controllers policy. To manually add the SeSecurityPrivilege right:
   1. Start the Active Directory Users and Computers snap-in.
   2. Right-click the Domain Controllers container, and then click Properties.
   3. Click the Group Policy tab, click Default Domain Controllers Policy in the Group Policy Object Links box, and then click Edit.
   4. Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click User Rights Assignment.
   5. In the right pane, double-click Manage auditing and security log, click Add, click Browse, click Exchange Enterprise Servers, click Add, and then click OK.
   6. In the Add user or group dialog box, click OK, and then click OK.
   7. Quit the Group Policy snap-in.
   8. If additional domain controller policies are listed in the Domain Controllers Properties dialog box, click the next domain controller policy, and then click Edit.
   9. Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click User Rights Assignment.
   10. In the right pane, double-click Manage auditing and security log, and then click to select the Define these policy settings check box.
   11. Click Add, click Browse, click Administrators, click Add, click Exchange Enterprise Servers, click Add, and then click OK.
   12. In the Add user or group dialog box, click OK, and then click OK.
   13. Quit the Group Policy snap-in.
   14. Repeat this process to edit the permissions of all the other domain controller Group Policy Objects.
   15. When you are finished, click OK to close the Domain Controllers Properties dialog box, and then wait for the changes to be replicated throughout the domain.
   16. Run the Policytest utility to confirm that the following result is returned for each domain controller in the domain:
       Right found: "SeSecurityPrivilege"
   17. Restart the Exchange 2000 services.
3. Move all domain controller objects back into the Domain Controllers container, and then wait five minutes until the default domain controller policy is refreshed. The default domain controller policy is refreshed every 5 minutes. To refresh the default domain controller policy manually, run secedit /refreshpolicy machine_policy /enforce on every domain controller.For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
   227302� Using SECEDIT to Force a Group Policy Refresh Immediately

NOTE: Sometimes, the Exchange Enterprise Servers group may not be visible when you click Browse in the Add user or group dialog box. If this occurs, add the Exchange Domain Servers group, and then run the setup /domainprep command again. This process makes the addition of the Exchange Enterprise Servers group by the setup /domainprep command persist across all domain controllers.

Before you make policy changes on a domain controller, confirm that FRS replication has copied the necessary policy to that domain controller. Use Policytest so that you do not have to manually check every domain controller in a large domain. Policytest connects to every domain controller in the domain, and then verifies that the Exchange Enterprise Servers group has the rights to manage the security and auditing log, either directly or through inheritance. You must have domain administrator rights to run Policytest successfully.

For additional information, click the article number below to view the article in the Microsoft Knowledge Base: