Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. How to troubleshoot access denied in a split permission model or minimum permissions model

How to troubleshoot access denied in a split permission model or minimum permissions model

View products that this article applies to.

Symptoms

When the administrative snap-in that you are using reports an "Access denied" error code, customers frequently wonder what attributes they do not have permission to. This happens most frequently for user accounts that were delegated and have a limited set of permissions to change an OU or a domain but the delegated user is not a member of "Account Operators" or "Domain Admins."

The "Access Denied" error code 0x80007005 is actually a win32 interpretation of the LDAP error code. To determine the LDAP error code and the attribute for which you do not have access to, you can follow the steps that are mentioned in the Resolution section.

↑ Back to the top

Resolution

To resolve this issue, enable auditing for Failure on the object that you are trying to change. Then, you try to make the change to this object. You can also look for Event 566 about the object in the Security log on the DC, this should tell you the exact permissions that you are lacking.
After you configure an audit policy setting, you can configure auditing for specific objects, such as users, computers, organizational units, or groups, by specifying both the kinds of access and the users whose access that you want to audit.

To configure auditing for specific Active Directory objects:
  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. Make sure that Advanced Features is selected on the View menu by making sure that the command has a check mark next to it.
  3. Right-click the Active Directory object that you want to audit, and then click Properties.
  4. Click the Security tab, and then click Advanced.
  5. Click the Auditing tab, and then click Add.
  6. Complete one of the following:
    • Type the name of the user or the name of the group whose access that you want to audit in the Enter the object name to select box, and then click OK.
    • In the list of names, double-click either the user or the group whose access that you want to audit.
  7. Click to select either the Successful check box or the Failed check box for the actions that you want to audit, and then click OK.
  8. Click OK, and then click OK.

↑ Back to the top

Keywords: KB924255, kbtshoot, kbprb

↑ Back to the top

Article Info
Article ID : 924255
Revision : 4
Created on : 10/25/2007
Published on : 10/25/2007
Exists online : False
Views : 212