You receive an "ID no: c10308a2" error message when you use the Active Directory Users and Computers snap-in to remotely add or edit an e-mail address for a mail-enabled user in Exchange Server 2003

You are running Microsoft Exchange Server 2003 on a server that has Microsoft Windows Server 2003 Service Pack 1 (SP1) installed. When you use the Active Directory Users and Computers snap-in to remotely add or edit an e-mail address for a mail-enabled user, you receive the following error message.Additionally, you receive this error message if the following conditions are true:

• You remotely connect to Exchange Server 2003 by using Exchange System Manager.
• The remote Exchange server does not have the local administrator identity.

This problem occurs if the following conditions are true:

• Users are delegated Exchange Server administrator roles.
• The users who are delegated Exchange Server administrator roles are not members of the Domain Admins group or the Local Admins group on the Exchange server.
• You have implemented the Exchange Server 2003 Security Hardening templates.

Therefore, the users cannot log on to the Exchange server.

Windows Server 2003 SP1 limits the ability of users who are not administrators to remotely access the Service Control Manager (SCM). Therefore, Exchange System Manager or the Active Directory Users and Computers snap-in cannot determine the Exchange Server services that are running.

Note This problem does not occur if Windows Server 2003 SP1 is not installed on the Exchange server.

To work around this problem, follow these steps.

Step 1: Install Exchange System Manager on a workstation that is connected to the network

1. Insert the Exchange Server 2003 CD into the CD drive on the computer.
2. If the Exchange Setup program starts automatically, click Exchange Deployment Tools. Otherwise, run Setup.exe from the root folder of the CD.
3. Click Exchange System Management Tools only.
4. Complete the steps in the wizard to install Exchange System Manager.

For more information about factors that you must consider when you install Exchange System Management tools on Windows XP, click the following article number to view the article in the Microsoft Knowledge Base:

Step 2: Start a Network Monitor trace on the client workstation

Note Make sure that Exchange System Manager is not running on the Exchange server.

Step A: Install Network Monitor

To install Windows Network Monitor, you must first install the Network Monitor driver. Then, install Network Monitor Tools. To install the Network Monitor driver, follow these steps:

1. Click Start, point to Settings, and then click Network Connections.
2. Double-click the local area connection that you want, and then click Properties.
3. On the General tab, click Install.
4. Click Protocol, and then click Add.
5. Click Network Monitor Driver, and then click OK.
6. Click Close two times, and then close the Network Connections window.

To install the Network Monitor Tools, follow these steps:

1. Click Start, point to Settings, and then click Control Panel.
2. Click Add/Remove Windows Components.
3. Click Management and Monitoring Tools, and then click Details.
4. Click to select the Network Monitoring Tools check box, and then click OK.
5. Click Next. If you are prompted to insert a disk, insert the Windows Server 2003 CD into the CD drive. Then, go to step 6. If the files are located on a network share, click OK, click Browse, move to the appropriate folder, and then click Open.
6. Click OK, click Finish, and then close the Add or Remove Programs dialog box.

Step B: Start a Network Monitor trace

1. Click Start, point to Programs, point to Administrative Tools, and then click Network Monitor.
2. On the Capture menu, click Networks.
3. Expand Local Computer, click the local area connection that you want, and then click OK.
4. On the Capture menu, click Start.

Step 3: Reproduce the problem

1. Open the Active Directory Users and Computers snap-in on the workstation. Then, connect to the domain controller that hosts the user whose account you want to modify.
2. Perform the steps that caused the error that is mentioned in the "Symptoms" section. When you receive the error, start Network Monitor and follow these steps:
   1. On the Capture menu, click Stop.
   2. On the File menu, click Save as.
   3. In the File name box, type an appropriate file name, and then click Save. The file is saved with a .cap file name extension.

Step 4. Review the Network Monitor trace

To review the Network Monitor trace, open the file that you captured and then examine the list of entries. To do this, follow these steps:

1. In Network Monitor, click Open on the File menu.
2. Click the file that you captured, and then click Open.

When you review the Network Monitor trace, see whether the Exchange System Manager binds to the Service Control Manager. In the Network Monitor trace, this bind will appear as an RPC Bind to UUID 367ABB81-9844-35F1-AD32-98F038001003. If the RPC bind succeeds, it will be followed by a call to OpenSCManager, opnum 0xF. If the opnum 0xF call fails, the response will contain an error code at the end of the packet data. In the following example, the error code is highlighted in bold text:Here, error code 0x5 indicates that access is denied. If the opnum 0xF call fails with a 0x5 error code, the user does not have permissions to Service Control Manager. To resolve this issue, use the sc sdset SCMANAGER command to modify the permissions. For more information about how to modify permissions, see the "Method 1: Use the Sc.exe tool to grant sufficient permissions to authenticated users" section.

If the opnum 0xF call succeeds, the response will contain a handle instead of an error code. The following output is an example of a successful opnum 0xF call:Next, an OpenService, or opnum 0x10, call is made. Again, if the opnum 0x10 call fails, the response will contain an error code at the end of the packet data. In the following example, the error code is highlighted in bold text:If the OpenService call fails with the error code 0x5, the user does not have permissions to the service itself. You can see the name of the service that is being opened in the packet data for the 0x10 request. In the following example, the service that is being opened is highlighted in bold text:If the operation fails at this step, you must add permissions to the service itself. For information about how to add permissions to the service, see the "Method 2: Add Read and Write permissions to the user account" section.

Step 5: Modify the appropriate permissions

Administrators may not want to grant authenticated users the right to access SCMANAGER. Additionally, this command frequently does not allow correct access to SCMANAGER. You can run an alternative SC command to grant this right directly to a specified Security group.

For this alternative command to work, you must be able to retrieve the SID of the security group. To do this, you can use a tool such as PSGETSID. For more information about PSGETSID, visit the following Microsoft Web site:

Method 1: Use the Sc.exe tool to grant sufficient permissions to authenticated users

Use version 5.2.3790.1830 of the Sc.exe tool that is located in the %windir%\system32 folder. The Sc.exe tool restores the functionality that lets you add or edit an e-mail address for a mail-enabled user on a computer that is running Windows Server 2003 SP1. Run the Sc.exe tool on the Exchange server to which you are remotely connecting, and then type the following at a command prompt:Note The permissions string is specified in Security Descriptor Definition Language (SDDL). Do not include any spaces in the SDDL string. Therefore, in this command, starting with the letter "D" after SCMANAGER, there are no spaces in the rest of the command. If you accidentally add a space and run the command, you could unintentionally remove all permissions from SCMANAGER. If this occurrs, the SC SDSHOW SCMANAGER command returns an "Access is denied" error. Then, you can restore the default permissions by deleting the following registry key and restarting the server. After you restart the server, you can try to fix the original problem by using the SC SDSET command again.

The following permissions are granted after you run the command:

• Discretionary access control list (DACL)
  • Allow to Authenticated Users: SDDL_CREATE_CHILD, SDDL_LIST_CHILDREN, SDDL_READ_PROPERTY, SDDL_READ_CONTROL
  • Allow to Interactively logged-on user: SDDL_CREATE_CHILD, SDDL_LIST_CHILDREN, SDDL_READ_PROPERTY, SDDL_READ_CONTROL
  • Allow to Service logon user: SDDL_CREATE_CHILD, SDDL_LIST_CHILDREN, SDDL_READ_PROPERTY, SDDL_READ_CONTROL
  • Allow to SYSTEM: SDDL_CREATE_CHILD, SDDL_LIST_CHILDREN, SDDL_READ_PROPERTY, SDDL_WRITE_PROPERTY, SDDL_READ_CONTROL
  • Allow to Built-in Administrators: SDDL_KEY_ALL
• System access control list (SACL)
  • Audit activities of the Everyone group: SDDL_AUDIT_FAILURE, SDDL_KEY_ALL
  • Audit activities of the Everyone group: SDDL_INHERIT_ONLY, SDDL_OBJECT_INHERIT, SDDL_AUDIT_FAILURE SDDL_GENERIC_ALL WD
  Note If you still receive the error message after you apply this set of permissions, try the following command:

  D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD) 
  

  For more information, click the following article number to view the article in the Microsoft Knowledge Base:
  907460� Non-administrators cannot remotely access the Service Control Manager after you install Windows Server 2003 Service Pack 1

Method 2: Add Read and Write permissions to the user account

To add Read and Write permissions to the user account that was delegated on the Microsoft Exchange System Attendant service, follow these steps:

1. On the Exchange server, start the Active Directory Users and Computers snap-in.
2. Right-click the name of the domain, and then click Properties.
3. Click the Group Policy tab, click Default Domain Policy, and then click Edit to open Group Policy Object Editor.
4. Expand Computer Configuration, expand Windows Settings, expand Security Settings, and then expand System Services.
5. Right-click the Microsoft Exchange System Attendant service, and then click Properties.
6. Click to select the Define this policy setting check box, and then click Edit Security.
7. Click Add, type username, click Check Names, and then click OK.
8. Click to select the Read check box and the Write check box, and then click OK.
9. Click Automatic to set the Service Startup Mode. Click OK, and then exit Group Policy Object Editor.
10. Click OK, and then exit the Active Directory Users and Computers snap-in.

Note You may get the SC_MANAGER_ENUMERATE_SERVICE permission on Service Control Manager first before you can query the status of MSExchangeSA.

Confirm that the Exchange server is a member of the Default Domain Policy by running the Gpresult utility. To do this, run the following command at a command prompt: Open the Gpresult.txt file, and then view the Applied Group Policy Objects section under the Distinguished Name (DN) of the Exchange server. If the Default Domain Policy is not listed, you must apply the changes to either one of the policies that are listed, or you must create a new Group Policy setting and then apply the Read and Write permissions to it.