Microsoft Knowledge Base Email Alertz
All KB/RSS Links  |  Hot Kb!  |  New Kb!  |  Scott Cate  |  FAQ / KB  |  Web Hosting  |  Unsubscribe  

When you try to install Microsoft System Center Operations Manager 2007 Reporting, the installation is unsuccessful

Search KbAlertz

Advanced Search

Receive Microsoft Knowledge Base articles by E-Mail?

Every night we scan the Microsoft Knowledge Base. If technologies you're interested in are updated, we'll send you an e-mail. You only get one e-mail a day, and only when new articles are added.
Click here to create a
FREE account
Already have an account?
[Click here to Login]











Microsoft Knowledge Base Article

This article contents is Microsoft Copyrighted material.
©2005-©2007 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks
Article ID: 938627 - Last Review: October 31, 2007 - Revision: 1.1

When you try to install Microsoft System Center Operations Manager 2007 Reporting, the installation is unsuccessful

View products that this article applies to.

SYMPTOMS

When you try to install the Microsoft System Center Operations Manager 2007 Reporting feature, the installation is unsuccessful. When this problem occurs, the Operations Manager event log may contain the following error message:
Date: date
Source: OpsMgr SDK Service
Time: time
Category: None
Type: Error
Event ID: 26319
User: N/A
Computer: Computername
Description: An exception was thrown while processing GetUserRolesForOperationAndUser for session id uuid:UUID. Exception Message: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) Full Exception: System.UnauthorizedAccessException: Access is denied. (Exception fro HRESULT: 0x80070005 (E_ACCESSDENIED))
Exception Message: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) Full Exception: System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) at Microsoft.Interop.Security.AzRoles.IAzApplication2.InitializeClientContextFr omStringSid(String SidString, Int32 lOptions, Object varReserved) at Microsoft.EnterpriseManagement.Mom.Sdk.Authorization.AzManHelper.GetScopedRo leAssignmentsForUser(IList`1 roleNames, String userName) at Microsoft.EnterpriseManagement.Mom.Sdk.Authorization.AuthManager.GetUserRole sForOperationAndUser(Guid operationId, String userName) at Microsoft.EnterpriseManagement.Mom.ServiceDataLayer.SdkDataAccess.GetUserRol esForOperationAndUser(Guid operationId, String userName) at Microsoft.EnterpriseManagement.Mom.ServiceDataLayer.SdkDataAccessTieringWrap per.GetUserRolesForOperationAndUser(Guid operationId, String userName) at Microsoft.EnterpriseManagement.Mom.ServiceDataLayer.SdkDataAccessExceptionTr acingWrapper.GetUserRolesForOperationAndUser(Guid operationId, String userName)
Back to the top

CAUSE

This problem occurs when the SDK service account does not have read access to the tokenGroupsGlobalAndUniversal attribute. The SDK service's authorization manager requires this access to determine the security groups to which a user belongs.

This problem occurs if one of the following conditions is true:
  • You install the Operations Manager 2007 Reporting feature in a Window Server 2003 domain environment, and the Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems option is enabled.
  • You install the Operations Manager 2007 Reporting feature in a Windows 2000 domain environment, and the Permissions compatible only with Windows 2000 servers option is enabled.
Back to the top

RESOLUTION

To resolve this problem, add the SDK service account to the Windows Authorization Access group. To do this, follow these steps:
  1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In Active Directory Users and Computers, click Builtin, and then double-click Windows Authorization Access Group.
  3. Click the Members tab, and then add the SDK service account to the members list.
Back to the top

MORE INFORMATION

By default, if the Permissions compatible with pre-Windows 2000 servers option is enabled when the domain is created, every member of the domain is added to the Pre-Windows 2000 Compatible Access group. In this situation, the Pre-Windows 2000 Compatible Access group has read access to the tokenGroupsGlobalAndUniversal attribute. Therefore, no action is required unless the Pre-Windows 2000 Compatible Access group name is manually changed.

For more information about this problem, click the following article number to view the article in the Microsoft Knowledge Base:
331951  (http://kbalertz.com/Feedback.aspx?kbNumber=331951/ ) Some applications and APIs require access to authorization information on account objects
Back to the top
APPLIES TO
  • Microsoft System Center Operations Manager 2007
Back to the top
Keywords: 
kbtshoot kbexpertiseinter kbprb KB938627
Back to the top
        

Community Feedback System

Very often, it takes hours to solve a problem. Very often, you've looked high and low, and have tried a lot of solutions. When you finally found it, chances are, it was because someone else helped you. Here's your chance to give back. Use our community feedback tool to let others know what worked for you and what didn't.

Please also understand that the community feedback system is not warranted to be correct, it's simply a system that we've built to let people try and help each other. If something in a feedback response doesn't make sense to you, or you're not comfortable making changes that the feedback talks about (like registry edits), please consult a professional.

Thank you for using kbAlertz.com Feedback System.

-- Scott Cate

Copyright © 2002-2007 KBALERTZ.COM.  All Rights Reserved. Terms / PrivacyDiscount ASP.NET Hosting